During the summer the accounting department at Edmonton’s Grant McEwan University received an email request from a local construction firm it deals with to change the bank account the institution had to send money to.
Over several weeks three university employees communicated with the firm and finalized the details of the change before sending three payments totaling $11.8 million.
A few days later the real construction firm called, wondering where its money was.
The staff who handled the transaction must have been astonished because the emails they received looked authentic because they included a logo from the construction firm.
But as outlined by Maclean’s Magazine, the emails were phony. Instead, the money was whisked to a financial institution in Montreal, then to Asia. Accounts have been frozen and litigation has been started. The university hopes it can get most of the money back.
This is International Fraud Awareness Week, a time to remind senior executives and those in organizations responsible for handling large sums of money that email and telephones are – still – not trusted means of communications, particularly when changes in procedure are asked for.
A 2016 survey by the Association of Certified Fraud Examiners estimated the median loss of all types of fraud in Canada was $156,000.
Now more than ever chief financial officers and chief information security officers have to demand documented business controls for the transfer of large sums of money – whatever the definition of “large” is in the organization.
That means drilling into staff that phoning a person listed in an email is NOT an approved way of verifying a change in normal business transactions – the phone number may be phony. There should be an office list of approved contacts and only their numbers should be used.
In some cases organizations are going further and demanding a video conference with a person to confirm a change in procedure.
Unlike planing malware through a phishing or SQL injection attack, business fraud involves a lot of planning. There’s a wide-range of cyber-related methods:
–Most common is the so-called business executive fraud, where an email purporting to be from the CEO or CFO asks a staffer or executive to transfer money. Often the request is time-sensitive – perhaps late on a Friday. To put pressure on the staffer, the request says something like the firm has a new client or a new project, and the money has to be sent to secure the contract.
Terry Cutler, vice-president of cyber security at Montreal’s Sirco Group, which investigates computer crime, recalls an incident where an email supposedly from a CEO that looked “very legit” asked the CEO to wire over $200,000 to an account for a special project.
To add even more legitimacy the criminal phoned the CFO from a number that was spoofed to look like the chief executive’s on the call display. Fortunately, when the CFO clicked on the email to reply the return email address wasn’t a corporate address but one from Gmail. That raised suspicion.
–Non-financial fraud is increasing, says Kevvie Fowler, a partner at Deloitte Canada’s cyber risk services. This involves an alleged senior official telephoning someone in the human resources department asking to be sent sensitive personnel data because he/she has a computer problem.
“Executive business fraud for non-financial benefits is definitely increasing, and a lot of times they’re targeting personal information,” Fowler said.
–Password changes. Cutler tells of a recent incident in which an executive received an email message supposedly from his bank with an attachment, that requested he login to the account to update his information. When he put in his credentials he was also asked for his two-factor verification number.
The attachment had malware that captured the credentials.
“Within minutes the hacker had logged into the real bank and transferred $448,000 from his bank account to an account in Mexico,” said Cutler.
The bank is refusing to cover the loss, saying the customer was at fault.
–Third party fraud. Both Cutler and Fowler say this attack, committed unwittingly through third party suppliers is growing. A targeted supplier is hacked, with the attacker gaining access – either through email or corporate records – of invoices from a customer. Then the attacker changes the account to which money is to be sent by a customer. The supplier may be emailed by the “customer” that their account number has changed.
“We’re seeing this within a lot of large organizations,” said Fowler. “People are thinking of (looking out for) wire transfers, and don’t think that fraud can be perpetrated by payment of invoices.”
– “Card-not-present” or counterfeit credit card frauds, where a supposedly legitimate credit card number is given by email, or by phone, for an online purchase.
The Canadian Anti-Fraud Centre says the airline industry, pharmaceutical companies, gaming industry and telecom providers are the largest victims of this fraud. “In most instances, scammers buy tickets using stolen credit cards and sell the product for a cheaper price for profit. Not only do the merchants lose the product sold, they are often required to pay back the funds to the financial institutions.”
Much of this fraud can be prevented through strict procedures followed by staff. Sometimes this my involved calling a customer to verify a transaction number before shipping product, the centre says. It also warns firms to be wary of orders requesting urgent shipments for fraud-prone merchandise, which may mean a fraudulent transaction, especially if the shipping address does not match the credit card’s billing address.
Merchants should use credit card companies’ address verification services and card validation code 2 (CVC 2).
– “Virtual kidnapping.” In Canadian news this week with the report of three Chinese students studying here had disappeared for several days. Police suspect they may have been warned by someone to go into hiding or their family in China would be hurt.
Fowler said a typical scam would be for thugs to then call the parents in China to say their children had been kidnapped and would be hurt if they didn’t pay a ransom. With no way to contact the children, the parents assume they were indeed kidnapped.
What worries Fowler is this scam could be used against executives of any company. “Virtual kidnapping is getting much bigger,” he warned. “It could be used to get usernames or passwords or get an employee to steal data.”
The best defence is to tell senior employees to be ready for such threatening calls and decide when its appropriate to call police.
Security vendor Proofpoint notes that organizations can protect themselves to some degree by authenticating their email to prevent domain spoofing through DMARC (Domain-based Message Authentication, Reporting & Conformance) SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail). Some of these technologies are available through email gateways.
User training to spot phishing messages is also vital because email – and SMS and social media – are common vehicles for scams.
–Bitcoin transfer scams. Fowler said these involve a person getting a threatening phone call from a person purporting to be from an organization of authority and demanding payment by a Bitcoin bank machine for an alleged problem or the victim will be sued. One example might be a digital publishing house alleging the victim has been illegally downloading movies or music. This could also involve a spoofed corporate phone number appearing on call display so the call looks authentic.
Fowler says CISOs have to take a three-prong approach to defending against fraud which he calls Secure, Vigilance, and Resilience.
Secure: Assessing and designing prevention controls.”You want to ensure that it takes more than an email from a mobile device to have someone transfer a few hundred thousand dollars to an account that they’ve never dealt with before.”
This will include awareness training as well as a “whistle-blower” hotline where staff can alert management of suspicious behavior. “Anything that starts and keeps communications flowing is very important.”
Fraud not only relies on human failures but sometimes also system failures, he added, such as changing bank account numbers. This also means business processes have to be regularly reviewed.
Vigilance: Implementing and evaluating security, particularly watching for changes in fraud trends.
Resilience: Effectively detecting and responding to incidents. “The matter you respond can directly minimize the impact the organization faces. A lot of people focus on prevention, there’s not much on response. But in some cases I’ve seen firsthand where an effective response can do more than a lot of the preventative elements that have been in place.” That includes possibly calling the police and a law firm.
He didn’t detail, but if the organization moves fast enough a funds transfer or a cheque might be frozen by a bank.
Not sure if your organization is ready to catch fraud? Hiring an auditor or a penetration tester are possible solutions. Another is to go through the Association of Certified Fraud Examiners’ Fraud Examination Check-Up, which asks management to answer seven detailed questions and score the organization.