CEO fraud, Business Email Compromise, even Bogus Boss attacks; whatever you choose to call them, they’re on the rise, and represent a huge threat to organizations around the world. For those of you unfamiliar with the phenomenon, it is a form of social engineering in which fraudsters target a business with phishing attacks aimed at persuading them to make large money transfers to fake bank accounts.
They tend to take three main forms, with the attackers pretending to be:
the company boss, who instructs staff to make a wire transfer
a bank’s IT department, making contact to set up a test transfer – which actually goes through
a supplier chasing outstanding invoices
The attacks can take advantage of multiple platforms – Etna Industrie in France were incredibly lucky to escape being stung for €500,000 in an attack that targeted their accountant across email and phone calls. Had they been even slightly less fortunate it could have ended the 75-year-old business.
That’s clearly serious in one instance, but how wide-scale is the threat? According to the FBI, CEO fraud has increased by an incredible 270% since January 2015, costing businesses globally at least $3bn in the last three years. In fact, it is hardly surprising that these attacks are increasingly focused on organizations. As Orla Cox, director of security response at Symantec suggests "Criminals have realized that hitting businesses rather than individuals can mean much bigger wins."
IC3, the FBI’s internet crime center, estimates 7,000 companies in the US have fallen foul of BECs over the last two years, to the tune of $740 million. But of course, with companies generally and understandably unwilling to admit they’ve been caught out, that number could be wildly optimistic. An Austrian aerospace manufacturer recently lost €40 million to just this kind of fraud – resulting in, amongst other outcomes, the president and CFO being fired.
It’s hard to argue with Jerome Robert from French cybersecurity company, Lexsi, when he says "It will spread because it's too good to be ignored… [they] can make so much money in a very small amount of time, with minimal risk."
There’s also an even darker side to this type of fraud, with the EU's law enforcement intelligence agency, Europol, suggesting that the proceeds are being used to support child exploitation and terrorism.
With such an overwhelming case for combatting such fraud then, what are the potential remedies? How do you protect your business’s finances, employees and reputation? There is plenty of talk of complicated fraud detection technologies that monitor transactions, bank accounts, wire patterns etc. They do of course have their place, but it’s all quite hi-tech, expensive, and kind of misses the point – isn’t it better to eliminate the threat upstream rather than rush to deal with the consequences downstream?
At the heart of the relatively lo-fi threat that is CEO fraud is a very simple vulnerability: authentication. If you can validate that the person you’re talking to is who they say they are, this whole issue goes away. By using a secure messaging platform, offering military-grade encryption and authentication, organizations can not simply negate the risk of falling for this kind of fraud, but protect themselves from numerous other threats and make their existing processes more streamlined and efficient.
CSG’s Cellcrypt and Seecrypt offer organizations a secure platform and channel they can trust – any contact from your CEO is authenticated, and there’s no chance of being hacked. This isn’t just within the organization – it is easily rolled out to include clients and vendors. For example, if the bank IT department wants to run a test, they can simply make contact through the trusted secure messaging platform. Communications across less secure means such as email or even post can be validated through the apps, enhancing security across the board. Additionally, by using a secure platform to communicate in general, businesses make themselves less of a target to such fraudsters in the first place, as it is that much more difficult for them to find vulnerabilities through which to access information.
In fact, the FBI has stated that such scams work best when firms work with a lot of foreign suppliers, making wire transfers the norm. Because they use VoIP, both Cellcrypt and Seecrypt can significantly reduce the cost of overseas calling, alongside nullifying the threat of fraud.
Which brings us back to our original question – what’s in a name? We could refer to them as BEC, or myriad other catchy TLAs (Three Letter Acronyms), but perhaps the one that seems to be sticking is the most accurate. When such an attack is successful, any finance officer involved will be lucky to survive the fallout. But ultimately, where will the buck stop – perhaps it’s being called CEO fraud for a good reason?
Harvey Boulter, Chairman, Communication Security Group