During a panel discussion on awareness training at the recent SC Congress security conference in Toronto two weeks ago an attendee described how an organization had been suckered for over $300,000 through the so-called business-executive scam.
The man’s client, a financial institution had been curious why a customer hadn’t been making their regular payments for some months. The institution finally queried the customer, who said, ‘Well, I got your email and switched to the new account.”
Here the chuckling started.
What new account? Well, the email said there had been a system problem, so the institution had to create a new bank account for the customer to send payments to. The customer though it was strange and looked into it, so the scammer attacker even sent an official looking letter with the signature of a finance official from the U.S. Securities and Exchange Commission to verify the change. (It was later discovered that the letter included cut and pasted SEC boiler-plate paragraphs.)
The story gets better. The attacker shortly got in touch with the contact at the institution saying the money still hadn’t arrived. ‘Oh,’ said the scammer, ‘sorry about that it’s THIS bank account.’
More laughter.
“This went on for three months,” said the attendee, “And each of these payments were more than US$100,000.”
“Man, you can’t patch stupid like that,” said one person. “But,” replied panellist Jeff Stark, director of cyber security mitigation services at CIBC, “awareness training should have stopped that, because we’ve been telling people if you get something like that pick up the phone and call the institution. So awareness training failed.”
Not so, said the moderator: This was a governance problem.
Whoever’s problem it is, Canadian organizations have do do better.
What reminded me of this incident is a new blog from Trend Micro, which quotes FBI figures that over the past two years scams like this have caused at least US$2.3 billion in total losses to approximately 12,000 enterprises around the world. The average loss to an organizations is US$130,000 per scam.
Executive scams often involve spoofing an executive’s email to look like an official communication. The message may include a malicious attachment or a phony invoice. or an order for a staffer to do something — transfer money to a supposed legitimate partner or to the person named in the invoice, or send a copy of employee or customer accounts with sensitive information.
Research shows that — understandably — the targets of these scams typically are the CFO and those under in the finance department. Most malware used in BEC schemes — which may include keyloggers — can be purchased online for $50, are even available for free, the blog notes.
Technology alone isn’t the answer. While scanning attachments is part of the solution, along with awareness in looking for unusual requests from upper management for personal/customer information or large transfers, so is governance — rules preventing financial transfers of money without verbal confirmation and, possibly, written approval.
That means the chief risk officer — or the equivalent — along with the CISO have to work together to meet this challenge.
