Posted by Ed Macnair / 07 January 2019
So, let’s kick off with the blindingly obvious, Business Email Compromise or CEO Fraud isn’t new. I didn’t wake up this morning and discover a fresh threat that’s going to make headline news.
Here’s the thing though, if it’s not a ‘new threat’, if the market is well acclimatised to scary stories and the security industry so advanced, why-oh-why does it continue to be successful?
I’m willing to bet even the fraudsters can’t believe their luck. It’s the cyber equivalent of telling someone to be aware that thieves operate in the area whilst simultaneously lifting their wallet in front of their eyes in broad daylight. CEO Fraud is the Mount Everest of cockiness.
Has CEO Fraud become more advanced?
Given its success, you’d like to think that CEO Fraud is an ever-changing beast, an uncatchable adversary but the reality is, the threat (broadly speaking) remains unchanged.
The most common scam still typically kicks off with an impersonation of a Senior Executive (normally by email) and is often accompanied with a request to either ‘make or divert’ payment for goods or services to a fraudulent bank account. So far, so easy to spot.
The target is ordinarily the finance department, who you could argue, should know better but (and it’s a big but) these attacks are seldom random which often means the ‘ask’ is so compelling, the context entirely plausible, the source totally believable, that it often evades everyday due diligence.
Add some supporting ‘urgent phone calls’ which ‘just can’t wait’, throw in a heavy dose of the boss’ wrath if it doesn’t happen and ‘voila’, you have a fairly heady cocktail of an admin error waiting to happen and the businesses bank account destined to be a few thousand quid lighter.
So why does it still work?
According to last year’s Annual Fraud indicator, CEO Fraud is on the rise and showing no signs of slowing up. Procurement Fraud costs in particular, are weighing in at a worrying £121.4bn annually for UK businesses alone, representing a concerning trend.
There’s a strong argument that says big cheques are not uncommon for ‘Procurement or Services’, leaving fraudulent requests to slip through the net with relative ease but the size of the theft can’t be the main focus - the overall problem runs deeper than that.
At its absolute core, there are three factors that allow CEO Fraud to continue to thrive.
The first is the sophistication of the attack.
You only have to take one look at the recent arrest in May this year of the group responsible for scoring a whopping EUR 18 million in CEO Fraud to know these aren’t random attacks.
I’m going to say that again, a theft of 18 million Euro’s, made to look as simple as ‘borrowing’ from the office stationary cupboard. That’s not petty theft, that’s a successful, highly sophisticated business model of planned corruption, executed flawlessly (Well, until they were caught).
The healthcare victim somehow managed to remain anonymous but the scam was scarily simple. A man impersonating a senior staff member manipulated a financial controller through a series of contextual requests, transferring funds to three different bogus accounts with remarkable ease.
Flagship cases aside however, the bulk of typical incidents is said to be around £35,000. Not quite millions of pounds but most companies that I know, don’t have that sort of cash hidden down the side of the sofa.
Make no mistake, CEO Fraud involves meticulous planning. Often including long-term covert surveillance of the movements and habits of Senior members of staff, their activities, planned events on Social Media, publicised holidays, out-of-office give-aways and details of their daily schedule.
By the time the first email (or call) is put into the unsuspecting target, the opponent is already 10 steps ahead of the game. Nothing (and I mean nothing) is by accident.
Secondly, the request comes from the boss.
We may not want to admit it, but most of us will simply ask ‘how high’ when somebody senior asks us to jump, particularly if the person in question, pays the wages.
Senior people are also not averse to making last-minute and often, time-sensitive demands because they’re well…busy, so an urgent request doesn’t feel out of place in the normal course of events.
Part of the sophistication of the scam, involves a realistic emulation of the boss’ email address, so why wouldn’t they respond to their request, it’s their job right?
Lastly, awareness is still alarmingly poor (sorry)
If you’re a CISO or Security Professional, this bit probably hurts the most. After all the salacious headlines, the maturity (and saturation) of the market, the column inches that have been attributed in the press to common attacks, the awareness of Cyber Crime still needs a lot of work.
The education process for CEO Fraud, should be pretty simple.
- Always keep your guard up. If you have a request from somebody senior that doesn’t feel right, firstly, take a look at the properties of the email address. If you’re still not sure, then pick up the phone and ask the sender. Nobody gets fired for being too diligent in their role.
- Plan beyond your people – Whether it’s a supplier changing their bank details or a critical request from the boss that just can’t wait, nothing is too urgent to by-pass a policy designed to protect the company. So, if you don’t have one in place, get one, sharpish.
- You can’t protect yesterday – Time and again I see legacy technology used to counter todays threats. It’s not complicated – modern email security, a combination of content analysis, threat intelligence, and executive name checking wins. You need a unified solution.
Do employees need to be more aware and play their part in keeping our businesses safe? Absolutely but if history has taught us anything, you’re not going to stop people being human anytime soon.
Out of the £18.9bn losses to small firms each year, a staggering 47% had not made any changes to prevent fraud – let’s just say that most (if not all) were preventable.
Unified Security technology is there to level the playing field - ignore it at your peril.
In the meantime, may the next email from your boss be to congratulate you for putting the issue of CEO Fraud, well and truly to bed.
…just be sure to check it’s actually from them.