On April 4, 2016, the Federal Bureau of Investigation issued a warning of a “dramatic rise” in business email compromises (BECs) and CEO frauds. The following summarizes Berkeley Research Group’s Global Investigations + Strategic Intelligence practice’s view of this growing fraud and provides actionable intelligence for alerting employees and practical tips to avoid becoming a victim.
How the BEC and CEO Frauds Work
The BEC and CEO frauds are a targeted phishing scheme in which a recipient receives what appears to be a legitimate request for payment or money transfer in an email from a colleague, vendor, or other trusted third party. These email requests generally appear as either (a) originated by the CEO or someone else in a trusted position seeking a wire transfer to consummate a deal, or for some other business purpose, and the employee—without verification—wires the money as instructed (to the cybercriminal’s account); or (b) originated by a legitimate company vendor with an attached invoice seeking payment, which is then sent (to the cybercriminal’s account).
These types of frauds are unique for a number of reasons. Foremost, they are directed, as opposed to blasted, so organizations’ spam filters generally will not catch them. Cybercriminals scour the Internet for email addresses of key employees, the identities of vendors, and other posted information to assist them with these targeted frauds. In addition, the perpetrators frequently follow social engineering-type emails disguised as real business emails with attachments posing as invoices, purchase orders, or other “business attachments,” which are actually executable files that may grab the recipient’s cached browser information, log the user’s keystrokes, or run other nefarious code.
The Dramatic Rise in the Fraud
In a prior release, the FBI had warned of the increased prevalence of these types of frauds. In January 2015, it had reported that between October 2013 and December 2014, 1,198 companies lost approximately $1.8 million due to the CEO fraud. Today, the FBI reports that between October 2013 and February 2016, there were 17,642 reports from victims of one form or another of the CEO fraud. The financial losses experienced by the victims during that time period were in excess of $2.3 billion. The FBI’s data also indicates a 270 percent increase in the incidence of this fraud since January 2015. The average dollar loss per BEC or CEO fraud compromise is $130,000. In short, the various frauds have been proven successful, and organizations need to train their employees to spot and thwart these frauds.
Avoid Becoming a Statistic
BRG’s Global Investigations + Strategic Intelligence practice offers the following suggestions on to how safeguard your organization and avoid becoming part of 2016’s victim statistics.
- Spot the Fraudulent Emails
- Scrutinize the emails. Many contain misspelled words or missing punctuation and appear to be hastily written.
- Study the return email addresses in the email’s header. Cybercriminals frequently register domain names that are nearly but not exactly identical to their intended target’s domain. For example, an executive at a company whose email address is Joe@ABCcom may be spoofed by the fraudster as Joe@ABGDE.com, switching the “C” for the “G” in the return or “reply-to” address.
- Highlight the return address with your cursor and right-click to see the exact return email address.
- Authenticate the Request
- Instead of hitting “reply,” forward the email to the colleague who appears to have sent you the request to verify the contents and the request.
- Confirm the business transaction using an alternative, but previously verified, form of communication, such as a text or telephone call.
- With regard to vendors’ requests for payment, always confirm by telephone any changes to payment or wiring instructions received by email.
If you believe your organization has been a victim of this type of fraud, you should:
- Contact your financial institutions immediately and provide them with all of the salient information
- Ask your financial institution(s) to quickly reach out to the financial institution(s) to which the fraudulent payment was sent
- File a formal complaint with the Internet Crime Complaint Center (IC3)
Educate Your Organization
It is critically important to keep your organization up to date on these and other evolving scams. A number of online resources provide information on new cyber fraud methodologies, including the “press room” at IC3. Educate your employees on the tactics by providing training on spotting and defeating these frauds, and continuously remind employees by email, messages on the company intranet, and periodic testing of employees with simulated phishing attempts. Reinforcing the seriousness of the potential frauds and the expectations that employees carefully scrutinize Internet requests for payment or wires will go a long way to avoiding the FBI’s 2016 list of financial loss.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.