Awareness training and governance needed to foil executive fraud scams

During a panel discussion on awareness training at the recent SC Congress security conference in Toronto two weeks ago an attendee described how an organization had been suckered for over $300,000 through the so-called business-executive scam.

The man’s client, a financial institution had been curious why a customer hadn’t been making their regular payments for some months. The institution finally queried  the customer, who said, ‘Well, I got your email and switched  to the new account.”

Here the chuckling started.

What new account? Well, the email said there had been a system problem, so the institution had  to create a new bank account for the customer to send payments to. The customer though it was strange and looked into it, so the scammer attacker even sent an official looking letter with the signature of a finance official from the U.S. Securities and Exchange Commission to verify the change. (It was later discovered that the letter included cut and pasted SEC boiler-plate paragraphs.)

The story gets better. The attacker shortly got in touch with the contact at the institution saying the money still hadn’t arrived. ‘Oh,’ said the scammer, ‘sorry about that it’s THIS bank account.’

More laughter.

“This went on for three months,” said the attendee, “And each of these payments were more than US$100,000.”

“Man, you can’t patch stupid like that,” said one person. “But,” replied panellist Jeff Stark, director of cyber security mitigation services at CIBC, “awareness training should have stopped that, because we’ve been telling people if you get something like that pick up the phone and call the institution. So awareness training failed.”

Not so, said the moderator: This was a governance problem.

Whoever’s problem it is, Canadian organizations have do do better.
What reminded me of this incident is a new blog from Trend Micro, which quotes FBI figures that over the past two years scams like this  have caused at least US$2.3 billion in total losses to approximately 12,000 enterprises around the world. The average loss to an organizations is US$130,000 per scam.

Executive scams often involve spoofing an executive’s email to look like an official communication. The message may include a malicious attachment or a phony invoice. or an order for a staffer to do something — transfer money to a supposed legitimate partner or to the person named in the invoice, or send a copy of employee or customer accounts with sensitive information.

Research shows that — understandably — the targets of these scams typically are the CFO and those under in the finance department. Most malware used in BEC schemes — which may include keyloggers — can be purchased online for $50, are even available for free, the blog notes.

Technology alone isn’t the answer. While scanning attachments is part of the solution, along with awareness in looking for unusual requests from upper management for personal/customer information or large transfers, so is governance — rules preventing financial transfers of money without verbal confirmation and, possibly, written approval.

That means the chief risk officer — or the equivalent — along with the CISO have to work together to meet this challenge.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now