Amanda Bernard, CPA, CFE, CMA, Principal
With recent news focused on business cyber security attacks and theft of credit card information, another new fraud scheme, business email compromise (BEC), has gone largely unreported. According to the FBI’s Internet Crime Complaint Center (IC3) Public Service Announcement June 14, 2016, companies internationally were exposed to losses exceeding $3 billion from October 2013 to May 2016 from criminals extracting funds using a company’s email system, with a 1,300% increase in such attempts since January 2015.
One method of BEC, executive impersonation, or “CEO fraud”, is accomplished by a criminal creating a fake email purportedly from a high-ranking executive or a key familiar vendor. The email will closely resemble the company’s own email and will request the recipient, usually a mid- or lower-level employee with access to the company bank account, wire company funds. The request is marked as urgent to encourage the recipient to bypass normal controls by wiring the funds without further verification or approval.
In order for executive impersonation fraud to succeed, the criminal must obtain a significant amount of information about the victim company before attempting the crime. The criminal will research social media, the business press and other resources to obtain information about the company’s culture and the personality of the target executive. Public documents written by the executive are used to replicate and incorporate frequently used phrases, words and language in the fake email. Hackers will break into the company’s email system to identify the typical pattern of payment requests and acceptable amounts. The more authentic and credible the email appears, the more likely the scheme will succeed.
Key Characteristics of an Impersonation Email:
· Request is from a senior executive or a key vendor/ supplier.
· Email address is similar to the supposed sender’s real email address, with very subtle differences (i.e. CEO@realcompayn.com).
· Includes an element of urgency
· Refers to other employees by name for credibility.
· Payments are payable to a foreign bank.
· The phrases “code to admin expenses” or “urgent wire transfer” are reportedly used.
· The payment amount is within the normal range of company transactions in order to not arouse suspicion.
· Request may occur when the executive is traveling and cannot be contacted.
The IC3 suggests the following measures to help protect you and your business from becoming victims of BEC scams:
· Avoid free web-based email systems. Establish a company web site domain.
· Be careful what is posted to social media and company websites, especially job duties and responsibilities, hierarchal information and out of office details.
· Be suspicious of requests for secrecy or pressure to take action quickly.
· Consider additional security procedures and 2-step verification processes such as:
o Out of band communication – establish other communication channels such as telephone calls, to verify significant wire transfer requests initiated by email.
o Use digital signatures when possible.
o Delete spam – immediately delete unsolicited email from unknown parties. Do not click on links in the email or open attachments. These often contain malware that will give the criminals access to your computer or company server.
o Do not use the “reply” button to respond to business e-mails. Instead, use the “forward” option and type in the correct e-mail or select it from your address book to ensure the intended recipient’s correct email address is used.
· Be aware of significant and sudden changes to business practices, for example, if a business contact suddenly asks to be contacted via their personal e-mail address when all previous correspondence has been on a company e-mail. Always verify via other channels you are still communicating with your legitimate business partner.
Employee awareness is the most important deterrent and training is crucial. Companies should discuss the characteristics of these schemes and the potential consequences with employees in all departments, especially those involved in processing outgoing payments.
Sources:
https://www.ic3.gov/media/2016/160614.aspx
http://www.aicpa.org/interestareas/forensicandvaluation/resources/fraudpreventiondetectionresponse/downloadabledocuments/fvs-eye-on-fraud-newsletter-summer-2016.pdf
http://krebsonsecurity.com/2015/03/spoofing-the-boss-turns-thieves-a-tidy-profit/
