Imagine you're an employee whose boss is on her way to Thailand for work. You and the rest of the team bid her farewell, then two hours later, an email arrives in your inbox.
I'm just about to board my flight to Thailand but before I go I need your help to urgently wire $100,000 to this BSB and Account Number. Please do it now as I'm boarding and won't have reception for the next 10 hours.
You think nothing of it. After all, you've wired money on her behalf several times before. Only later, when she returns, do you realise the email was not from your boss but it was part of a sophisticated Business Email Compromise (BEC) scam.
One of the biggest and most frightening issues for business right now is BEC or CEO Fraud. More and more hackers are targeting employees by pretending to be somebody higher up in the company, such as the CFO, CEO or the company attorney.
The hackers use the email address of the more senior employee and send an email to another employee asking for sensitive information. This might be financial details, passwords or HR information. They will often target businesses that work with foreign suppliers or regularly perform wire transfer payments.
No business is safe, whether you are big, small or a not-for-profit, according to the Federal Bureau of Investigation (FBI) in the US, you are at risk.
The FBI has issued a statement, warning of a dramatic rise in the BEC scam, a scheme that has resulted in massive financial losses in the U.S. The FBI estimated US$2.3 billion has been lost to these types of scams. There is not yet an official figure for how much money has been lost in Australia.
Tim Bentley from Proofpoint told The Huffington Post Australia the attackers - also known as 'actors' - are smarter than ever.
"They spend a lot of time researching on social media to find out where CEO's and CFO's are travelling. They'll send an email to their EA or finance team and it's usually a very straightforward email with no virus or malware and no forced attempt. It's a confidence trick and they're pretending to be someone in authority at the recipients' business or perhaps even a 3rd party supplier who is used to being asked to wire money."
Bentley said there is always a rise in the attacks around tax time.
"You might receive an email asking for everyone's group certificate. Once the attackers have a Tax File Number (TFN) they can use it in conjunction with other forms of ID to open a bank account," Bentley said.
"We've worked with numerous Aussie CEO/CFOs who receive up to five imposter emails a week. It's not just money. You'll have 'employees' emailing their HR/Accounting team for their tax group certificates and TFN details.The 'actors' run it like businesses. They have different divisions, people doing the research, people writing the code and people writing the email. It's getting more and more sophisticated."
Snapchat was hit by a phishing attempt in February: 700 employment details, including payroll information, were compromised. It was caused by an email requesting this information sent from an email address that appeared to belong to CEO Evan Spiegel.
A high-ranking financial employee of Mattel (Makers of Barbie) wired over $3 million to the Bank of Wenzhou, in China, off a spoofed email from the new CEO.
Proofpoint research revealed nearly 50 percent of impostor emails in Australia target the CFO and 25 percent hit human resources inboxes. Thirty percent of impostor email subject lines request employee tax information, 21 percent convey an urgency to act and 20 percent ask for wire transfers.
Bentley has shared some 'near misses' where employees almost fell victim to BEC but, due to a small hunch, they didn't. Here are three examples of people not falling into the trap and wiring money because:
- My CEO is Scottish, so he'll never ask that much money to be wired over email.
- I knew it wasn't from CFO because I knew he was in the toilet at the time.
- Our chairman never says thank you on email.
The FBI's Tips for Businesses:
- Be wary of e-mail-only wire transfer requests and requests expressing urgency.
- Pick up the phone and verify legitimate business partners.
- Be cautious of mimicked e-mail addresses.
- Use multi-level user authentication for your tech systems.