CEO Fraud and Business Email Compromise (2nd Edition)
According to the FBI, CEO Fraud or Business Email Compromise (BEC) has impacted more than 22,000 companies.
The losses amount to over $3 billion.
From 2015 to 2017 the FBI said BEC the losses rose 1300%!
But most companies have done little or nothing to address it.
This BEC Prevention Guide will start you down the road to protecting your business from this epidemic.
What is BEC?
BEC is a wire transfer fraud perpetrated through social engineering or computer hacks.
The criminals use the information gather to make unauthorized wire transfers.
Social engineering simply means fooling an authorized person to make the transfer into an unauthorized account, often in China and Hong Kong.
And here’s why it’s so urgent that your company deal with this issue now: After an unauthorized transfer is made, and 24 hours passes, you’ll almost NEVER recover the money.
Your window of recovery is tiny.
And don’t think it’s only big companies that get hit. Small businesses are hit just as often probably because criminals think they will be an easier mark.
How Do They Do It?
Usually, they send phishing emails. They pretend to be a reputable company representative. They blast out emails to many users and see if they can get them to respond with sensitive information. Sometimes they’ll even pretend to be the FBI or the IRS.
They figure if they send enough emails, SOMEONE will make a mistake and provide them with the information they need.
Another method is called “Whaling.” This is when, instead of sending emails to hundreds of users, they target executives or administrators.
Both types of emails employ psychological manipulation. And both can be very effective if your people are not trained to recognize them.
In 2016 the investigation into the Verizon data breach, showed that 30% of the people who got the phishing messages opened them. 12% opened attachments.
Once these attachments are opened, they may release malware and spyware. And when that happens, the criminals can just hoover up all the sensitive data your network can deliver. Often for months.
And then they use all this data to launch a BEC attack by pretending to be one of your executives or financial personnel.
Are You at Risk?
While you may think you’re covered against fraudulent financial transactions by your insurance, that’s not true. BEC is considered an email fraud and not a financial instrument fraud.
Your insurance will consider it internal negligence not a problem, and they will not pay claims unless you have coverage specifically for data breach and cyber-crime.
Who Will They Target?
While mass phishing scams may target tens or even hundreds of your employees, those most at risk are…
- Finance
- Human Resources
- Executive Team
- IT
It’s Not Just an IT Problem
Many C-levels feel that things like email security, virus and malware are ‘beneath them” literally and figuratively. “That’s a job for IT.”
Believe this at your own peril.
The FBI is warning corporations of the risk. It’s a growing problem. And it’s a C-level responsibility to insure your organization is acting reasonably to prevent this crime.
Saying “That’s a job for IT” is not acting reasonably when it comes to BEC and can leave you wide open to lawsuits.
And remember, a BEC attack could…
- Cause you to lose a large contract
- Cause you to lose your intellectual property
- Cause you to lose revenue
These factors make BEC a C-Level responsibility.
Finally, IT will never be enough to prevent BEC. All the antivirus, email security programs and backup systems won’t be enough if you don’t have a human firewall.
What’s a human firewall?
A human firewall is when your staff is so well trained against BEC that they do not fall prey to the psychological manipulation used by scammers.
This is the most important concept to address when it comes to preventing BEC. Criminals know that your PEOPLE are the easiest firewall to breach.
How to Prevent BEC
- Identify High-Risk Staff and insist on more safeguards for them.
For any major financial transactions or wire transfers, require multiple authorizations. And then add a “wait period” before the transfer is processed.
Examine the LinkedIn and Facebook accounts of these users to make sure no sensitive company data is displayed.
- Install technological safeguards.
- Email filtering
- Advanced password protocols and ID standards
- Physical token authentication
- Key fobs, access cards
- Google authentication app.
- Beef up Policy
Set security policy, review it regularly for gaps, and insist upon adherence.
Include the following…
- Never open attachments or click links from unknown sources
- Never use USB drives on office computers
- Your password management policy
- Training requirements
- WiFi access requirements
- Wire transfer protocol and limits
- Write Procedures for…
- Keeping software patches and virus signature files up-to-date
- Conducting vulnerability scanning and self-assessment using US-CERT or SANS Institute guidelines,
- Conducting penetration tests on WiFi and other networks
- Wire transfer authorization, including a phone or face-to-face confirmation is ideal and a “wait period” of at least 24 hours.
Cyber-Risk Planning
- Use best practices and industry standards to review your existing cybersecurity
- Run simulated breaches to judge the effectiveness of your plan.
- Review your insurance. Purchase cybersecurity insurance if you don’t have it.
Training
- Train you staff on security policy.
- Hold mandatory, specific training on phishing
- Do security awareness training
Conduct Simulated Phishing
- Run an initial simulation to determine your baseline (how many open emails, how many click, etc.).
- Run additional simulations to you check the efficacy of your security training.
- Don’t send the same simulation to everyone at the same time.
Watch out for Warning Signs in Emails
- Awkward wording
- Misspellings
- Sight changes in company names, email addresses and URLs
- Unusual urgency or time-sensitivity
- “Code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information” are common say the FBI.
What to Do When You Get Attacked
- Contact your bank and ask them if it’s possible to recall the transfer.
- Ask their cybersecurity department to get involved
- Contact the local FBI
- File a complaint at the FBI’s Internet Crime Complaint Center (IC3) at IC3.gov
- Brief your board and senior management in an emergency meeting
- Have IT investigate the breach (change passwords, run detection programs)
- Bring in an outside security specialist
- Contact your insurance company
- Contact your attorneys
- Investigate and identity policy violations
- Take disciplinary action
- Revise your security plan in light of the breach
Call Petronella Technology Group, Inc. today at 877-468-2721 to learn how to protect your business before it’s too late!