Spotlight on security: the inconvenient truth about CEO-impersonation fraud
Reported incidents of CEO-fraud or business email compromise (BEC) scams are so bizarre that most people think they are urban myths, told by security specialists to spice up their business and catch the attention of board-level executives. Sadly, these “April Fools’ Day” story lines have the opposite effect on C-level management. Let’s take a look at a recent € 19.2 million CEO-fraud case and put BEC-scams in a cyber-crime perspective to see whether you still think “it won’t happen to me”.
CEO impersonation fraud: what would you do – truth or dare?
CEO impersonation fraud (CEO-fraud for short) uses a spoofed email, supposedly from the company CEO, usually asking for a last-minute money transfer for an important and urgent business case. The target and time of engagement are always chosen carefully. The target is usually a person lower in the hierarchy who has access to money-wire systems. The chosen time is often outside of normal office hours, forcing the CEO to shortcut existing procedures and leaving the target on his/her own (no higher-level management available to ask for clearance). The scammers often use a mix of different social engineering tactics to maximize the pressure on the target.
The scams starts with the surprise element, an email from the CEO. Next the CEO charms the target by addressing him or her with his first name, and surprisingly knowing some personal details of the target (further referred to as “the victim”). After some small talk, the CEO lets the victim confirm that he or she has access to the IT-systems necessary to complete a last-minute money transfer. Then the CEO (having “befriended” the victim) asks for a money transfer for an important business opportunity. This puts the victim in a dilemma: breach the procedures, or deny the CEO a favour?
Latest CEO fraud incident: 19.2 million loss – truth or scare?
The online magazine Celluloid Junky posted details of the € 19.2 million loss of a Dutch cinema chain, a branch of the French Pathé company, one of the largest film producers and distributors in the world. This CEO-fraud incident targeted the Dutch CEO and Managing Director. The CEO fraud started with an announcement of the strategic acquisition of a foreign company in Dubai. This was a typical charm-and-trust tactic (being included in something important by the French CEO). The Dutch CEO forwarded the emails to the CFO, who responded that this was a curious process, but did not dare to block it.
After a series of payments, the cash balance of the Dutch branch was insufficient, therefore the Dutch CEO and CFO used the corporate cash pool to transfer additional money to the cyber criminals. This of course alarmed the French HQ, and they asked the Dutch branch what they needed that money for. The surprised Dutch CEO answered “for a secret acquisition our CEO emailed me about”. Of course, this secret acquisition was non-existent, and the unfortunate Dutch CEO and CFO were both fired. The worrying truth is that this CEO fraud resulted in a whopping 19.2 million euro loss.
Business email compromise: a blast from the past or a growing concern?
In 2015 a US-based money transfer company XOOM reported a business email scam, tricking their finance department into wiring 30.8 million dollars to cybercriminals. In May 2016 Austrian aerospace parts maker FACC reported it had fired its CEO and CFO after employees had transferred 41.9 million euro to cybercriminals after receiving a spoofed email from the CEO. In August 2016 Leoni a German manufacturer of wires and electrical cables reported a 40 million euro loss due to a BEC-scam.
Because of the growing number of incidents, the FBI has started to report BEC/EAC (business email compromise and email account compromise) as a separate cybercrime. In 2017, the FBI reported that BEC/EAC incidents were only 5% of the total reported cybercrime incidents, but the money lost due to BEC/EAC scams totalled up to 50% of all cybercrimes.
The inconvenient truth: BEC-scams still growing at three-digit rates
Experts claim that three quarters of the cybercrimes are not the reported to the police, due to the embarrassing character[vi] and the low success rate of both police and judiciary with regard to cybercrime. The BEC-scams mentioned in this blog certainly qualify as embarrassing at the least. In this context it is safe to assume that numbers officially reported by the FBI are just the tip of the iceberg.
Based on data from several sources, the FBI makes projections on the global loss caused by BEC/EAC. In the FBI’s public statement of May 2017, the total exposed losses were estimated at 5 billion dollars (measured between October 2013 and December 2016). In July 2018 an update of this FBI public statement announcement reported a total loss by BEC/AEC of 12 billion dollars worldwide (measured between October 2013 and May 2018). This implies that between December 2016 and May 2018 the global loss due to BEC/AEC fraud increased by 136%.
It is to be hoped that publicity regarding CEO-fraud will encourage IT managers and security specialists to discuss organizational counter measures to prevent CEO-fraud/BEC-scams. When the human factor is targeted as the weakest link, rapid improvement can be made by using the following measures:
- Reviewing wire protocols (looking for weak spots in end-of-day/out of office-hours situations)
- Upgrading payment processes to dual channel/two factor authorization
- Educating and training the workforce on the dangers of BEC scams