Fraud Prevention Month starts today, which reminds me of three business-related online frauds I’ve written about. Let’s take a look at them and discuss some of the similarities they share:
- Toymaker Mattel nearly lost US$3 million in 2015 when the CFO trusted an email supposedly from her boss asking her to transfer the funds to a new supplier in China. Mattel’s protocol for such large transfers called for approval to come from the CEO and the CFO. Well, the email from the CEO was one, and she being the CFO was the other, so … Fortunately, the event took place over a long weekend in China, so when the bank opened Tuesday the transfer was frozen.
- A Texas company lost US$1 million in 2019 when an assistant to the CEO thought she was following her boss’s email orders to send money to a company. But she was fooled. The email hadn’t come from her boss. The attacker read the executive’s Facebook page and learned he coached his daughter’s soccer team. The crook then hacked the executive’s email and sent a message to the assistant on a Friday asking her to look after transferring money to a firm because he was away at his daughter’s tournament. The message also told the assistant not to bother confirming the transfer had been made because the CEO trusted her to look after things;
- A Chinese venture capital company lost $1 million that was supposed to go to an Israeli startup when hackers were able to insert themselves into the email conversations of the two firms who were thousands of kilometres apart. The attackers learned through public announcements that the Chinese firm was going to invest in the Israeli company. They then hacked the email of of the companies and created two email accounts that closely mimicked the email domains of each company by adding the letter “s” to the name. Executives didn’t spot the difference. The result was the hacker could intercept messages between the two companies, change the content and send messages between them through the fake email accounts. At one point officials from both companies were to meet in Shanghai. The attacker sent an email to both firms saying they couldn’t make the meeting for different reasons. If that meeting had gone ahead the scam would likely have been exposed. The two companies only realized something was wrong when the Chinese company’s bank said something was wrong with its wire transfer, and the Israeli company realized it didn’t get its $1 million.
Security and law enforcement researchers call these and other incidents like them “business executive compromise” or “business email scams” (BEC). They have two things in common: Staff who trust email communications, and the poor business processes for dealing with financial transfers.
During Fraud Prevention Month ITWorldCanada.com will have a number of stories advising CISOs and CEOs about reducing the odds of being caught by online-enabled fraud.
Measuring fraud activity in Canada isn’t easy — and even harder to quantify the amount of digitally-related fraud — because it relies on victim reporting. The Canadian Anti-Fraud Centre estimates only five per cent of fraud is reported to the police.
Last year, the centre received 101,483 fraud reports involving nearly $160 million in reported losses. Many are consumer-related (investment, extortion, romance and job scams), while others are more business-related (extortion, impersonation, BEC, and merchandise scams, for example). BEC-related frauds come under spear-phishing, which accounted for $14.4 million in reported losses.
Jeff Thomson of the Canadian Anti-Fraud Centre noted scams not only involve messages that appear to come from executives but also fake messages from suppliers and partners, from head office to franchise owners and even from supposed employees asking for changes to banks for their direct salary deposits.
With the advent of COVID, businesses and individuals have been fooled into buying poor or undelivered personal protective equipment, for example. Some are falling for fake COVID vaccines. Because some businesses (airlines, restaurants and border officials) are asking for evidence of vaccination, criminals are increasingly offering phony proof of vaccination documents.
“This year has seen a significant increase in fraudulent activity because many organizations either moved significant portions of their business online [because of COVID], and staff had to work from home,” noted Robert Fazon, head of engineering in Canada for Check Point Software, which reported on the Chinese-Israeli fraud incident. “So there’s been a huge expansion of the area of control necessary for managing security for these organizations. That has created significant risks and challenges.”
In some cases, it has increased unauthorized access.
“Access is the source for most fraud, or things that enable fraud, that we’re seeing,” he said. “Those who are in positions of authority are finding themselves vulnerable because they are opening links and providing access to hackers, who are using it to do things like commit financial fraud or steal intellectual capital and interfere with law enforcement.”
Thomson of the Canadian Anti-Fraud Centre says the key to foiling BEC schemes is security awareness training so employees recognize signs of potentially-fraudulent emails. These signs include changes in expected sender’s addresses (email@example.com becomes firstname.lastname@example.org, for example, or email@example.com); messages arriving late on Fridays asking for money to be transferred; requests for changes to where funds should be sent; and messages saying the transfer is urgent.
The common targets
Deloitte notes that BEC schemes often target mid-level personnel who seldom communicate with the executives, attorneys, or vendors purportedly behind a transaction request. Attackers rely on employees who don’t want to approach managers to authenticate a transaction.
Another effective anti-BEC approach is to use encryption to authenticate emails between an approved source, making it difficult for a third party to interfere. Experts says administrators should also turn on features that identify internal emails by colour. That way an email from an external source, such as a threat actor, will immediately be labelled suspicious if it’s supposed to be from an executive.
Business process policies for handling money also have to be toughened. Email approvals aren’t good enough these days. Staff should also be warned not to trust instructions left by voicemail. If staff need to phone someone to verify a message, use a known phone number previously agreed to by policy, not one in an email. Using multifactor authentication to protect access to sensitive accounts is also important.
In a guide on fighting BEC fraud Proofpoint says staff should be told the following:
- Be suspicious. Asking for clarification, forwarding an email to IT, or checking with a colleague is better than wiring hundreds of thousands of dollars to a fake company in China.
- If something doesn’t feel right, it probably isn’t. Encourage employees to trust their instincts and ask “Would my CEO actually tell me to do this?” or “Why isn’t this supplier submitting an invoice through our portal?”
- Slow down. Attackers often time their campaigns around our busiest periods of the day for good reason. If a human resources manager is quickly going through emails, she is less likely to pause and consider whether a particular request is suspect.