“Please wire $70,000 to the account below.” If your staff got these instructions from “you” via email, would they do it? Would they confirm in person with you first? What policies, procedures and systems do you have in place to prevent such an action when the “you” is not you?
You may believe that this compromise could never happen to your organization but many companies have fallen victim to Business Email Compromise (BEC). That is when an attacker has taken over a senior executive’s email account and can send emails as an authorized, legitimate employee.
The FBI reports that businesses have lost more than $2.3 billion between October 2013 and February 2016 from thousands of businesses via Business Email Compromise. Since last year, the FBI has seen a tremendous increase in both victims and loss.
$17.2 million of that money was lost in a single transaction, when Scoular Company CEO’s email was hacked and employees thought he had told them to wire the $17.2 million to China. Even though Scoular is a sophisticated commodity trader ranked as one of the top 100 privately held companies in the US, they didn’t have the controls in place to prevent a massive fraud. If organizations that size can be compromised, what about your organization?
It is not just financial services firms that have been hit. High tech, manufacturing, real estate and many other industries have been attacked as well. Fraudsters target senior leaders within the company such as the CEO and CFO. They obtain the login credentials to their email account and then the attack begins. Many fraudsters will delete the sent emails to help cover their tracks so that the executive doesn’t know that his or her email has been compromised. The amount of money may be in the tens of thousands, hundreds of thousands or in some cases millions.
What can you do about it?
There are several steps to significantly improve the security posture of your organization. Some involve training and setting policies while others include technological improvements.
- Training. The most obvious measure is to train your accounting and finance staff to be on the look out for unusual requests in email and to confirm transactions via a phone call or another non-email method.
- Policies. Your organization should have policies covering wire or ACH transfers. Some examples of policies are below.
- New payee – confirm via telephone call for all new payees.
- International transfer – confirm via telephone call for all international transfers.
- Amounts over a certain threshold – confirm via telephone call for all transactions over a certain amount.
- Dual control approval – all transactions require an originator and approver.
- Technology. There are many technical controls that your organization can implement to improve the security posture
- Multi-factor authentication for remote access. Use a second factor of authentication such as a one-time-password for authenticating remotely. This helps to protect your email and other systems from unauthorized remote access.
- Technical controls to streamline policy decisions. A telephone call may not be practical in all cases especially for organizations that regularly add many payees, do significant international business and/or regularly perform high value transactions. For these organizations systematic policy enforcement with automation can help to both speed business transactions while significantly increasing the security of organization.
Business Email Compromise can be scary. Unauthorized personnel acting with the authority of a senior executive can do significant damage. Organizations that have plans in place to combat Business Email Compromise will reduce their risk without slowing down their business operations. For help with preventing Business Email Compromise please contact us here at Fractional CISO.