The finance department of every organization in the world — commercial, non-profit, government — must have business rules for dealing with partners who ask for changes in bank deposit or transfer procedures.
That’s the lesson from several years of organizations being victimized by what is formally known as business email compromise fraud, where a criminal tricks managers into sending a regular payment to a different bank account. The money then disappears.
The city of Saskatoon is the latest to be hit by the scam. On Thursday the municipality called an urgent press conference to reveal staff had been conned out of $1.04 million by someone impersonating the chief financial officer of a prominent construction company. The fraudster asked staff to change the bank where a payment should go.
While the city has policies, “clearly, the control that was used wasn’t strong enough to prevent (the fraud),” city manager Jeff Jorgenson told reporters. “What I would say is internal and external staff who are experts in this area are reviewing all financial processes and controls in this area.”
Details of how the scam was accomplished weren’t available, although Saskatoon’s mayor described it as identity theft and the Canadian Press news agency said it was an electronic impersonation. Typically this type of scam works one of two ways: The fraudster either spoofs or hacks the email of the organization being impersonated (in this case the construction company). In this scenario the fraudster may send several messages to the victim to establish a rapport before asking for the transfer change; or the con hacks the email of the victim organization and poses as a senior official to tell a junior staffer to change a bank transfer procedure.
Often the scam involves a regular payment. Victim organizations may only realize they’ve been had when a company it deals with phones to say something like, “Where’s our monthly deposit?’
Jorgensen said the plot began several weeks ago. The city only became aware it had been stung on Monday.
Among Canadian cities, Ottawa and Burlington, Ont. have recently been victimized. In April, Ottawa’s auditor released a report into how the city had been hit for over $100,000 last year. City treasurer Marian Simulik received what she thought was an email from city manager Steve Kanellakos, asking her to transfer US$97,797.20. to the bank account of a U.S.-based firm for a purchase the city allegedly had made.
“I want you to take care of this for me personally,” said the message said in part. “An announcement is currently being drafted and will be announced next week, once the deal has been executed, for now I don’t want to go into any more details. Until we are in a position to formally announce the acquisition I do not want you discussing it with anybody in the office, any question please email me. Can you confirm if international wire transfer can go out this morning?”
Fortunately, the person who got the money transferred it to a bank account that was being watched by the U.S. Secret Service, which later seized US$88,000.
The auditor’s report noted the city has anti-fraud procedures that would have prevented this incident, but they weren’t followed.
In June the city of Burlington revealed it had been hit for $503,000 by a person posing as a “trusted vendor” requesting a change in the bank account where the municipality normally transferred money to.
Criminals will use any tool to help make the scam work, including researching a victims’s lifestyle on social media. At the RSA security conference earlier this year one speaker outlined how a company had been victimized for over $1 million. In that case the criminal learned that the CEO of a company was the coach of his daughter’s softball team. The fraudster hacked the CEO’s email and sent a message to his assistant on a Friday asking her to transfer the money to a changed account. He asked her to look after it because the CEO was involved over the weekend at a softball tournament — which was true.
In addition to having business rules for verifying instructions on changing regular banking procedures — and this applies not only for customers/partners but also employees — IT should look into the possibility of using email protocols such as DMARC, SPF (sender policy framework) and DKIM (domain keys identified mail) to authenticate email and eliminate the possibility of address spoofing.
If they can email administrators should change the colour-coding of email so internally-generated messages are easily distinguishable from mail that comes from outside. (For example, mail with red-coloured text is internal; if a fraudster spoofs email from the outside it would immediately be recognized).
Security awareness training is vital. Teach staff to not click on attachments and links, as well as to watch for warning signs of a scam. These include messages late on Fridays asking for money to be transferred, and messages saying the transfer is urgent.
To ensure email can’t be hacked they need to be protected with strong passwords and multi-factor authentication.