The email that Michael Becce shared with me certainly looked real. In the message he appeared to ask the CFO of the corporation he runs to send a large, but not unusually large wire transfer to a bank.
“I need you to do a wire of 28,500USD to the attached account. Kindly let me know as soon as transfer is done and send me a transfer confirmation in reply,” the email said, and concluded, “Awaiting your reply.” Attached to the email was a wire transfer form with an account at a Chinese bank.
Becce, who is CEO of MRB Public Relations, said that the payment might have gone through but for a couple of reasons, notably that the CFO in his company is also his wife who knew that he would have said something about such a transfer rather than simply using an email. In addition, the signature block used the company’s previous address, not the current one.
Other companies haven’t been so lucky. Bonnier Corporation, publishers of a number of lifestyle publications including Popular Science, Scuba Diving and Flying, also received such an email, but in this case the amount was much larger.
There, the amount was two payments of $1.5 million, to be sent to a bank in China. An executive in the company’s accounting department sent off the first payment and then decided to ask the CEO if he’d really authorized it.
As it happens, the then-CEO Dave Freygang did not authorize the payment and didn’t send the email. The accounting department staff was able to recall the second wire transfer before it got to the destination. Freygang, who has since left the position as CEO, told the New York Post that the Chinese banking regulators have not been willing to cooperate in retrieving the money.
Bonnier spokesperson Perri Dorset said that she was unable to comment beyond the story that appeared in the Post, telling eWEEK that the company had been asked by the FBI, who is investigating the fraud, not to make any additional statements.
Shortly after the Bonnier fraud took place, the U.S. government issued a warning. According to a notice from the Financial Services Information Sharing and Analysis Center, working with the FBI and U.S. Secret Service, this kind of business email compromise (BEC) is making a sudden jump in popularity.
“BEC is a type of payment fraud that involves the compromise of legitimate business email accounts for the purpose of conducting an unauthorized wire transfer,” the government’s statement says.
The way it works is that the accounting or finance department of a corporation will receive an email from someone who appears to be the company’s CEO directing payment by wire transfer to a bank account. The email usually says that the need is urgent, and highly confidential, and it directs the immediate payment without further authorization. Normally, the email appears to come from the CEO’s company address.
Advanced Phishing Scam Targets CEOs, CFOs, for Phony Cash Transfers
According to Becce, the way this whole thing unfolds is “scary.” What especially worried Becce is the amount of research that was involved in sending the phishing email. “They must have done some kind of background research,” he said. “They knew the kinds of funds that we dealt with.”
Becce said that he’d recently been talking with one of his clients, Stu Sjouwerman, about the scam and that he’d discussed it with his wife only a couple of days before they’d received the email. Sjouwerman, who runs security training company KnowBe4, said that he’s seeing this particular scam frequently in recent days.
The messages all show a common high level of social engineering. They all show that the person or group who sent out the email has gone to enough trouble to learn who the company’s CEO is and to learn who is in charge of making payments because the email is specifically addressed to that person.
They also spoof the CEO’s email address. In addition, they frequently wait until the CEO is away on business travel making it more likely that such a request would be sent by email and be harder to verify.
Fortunately, there are a few things you and your staff can do to keep this from happening. The first is to implement requirements for approval before large payments are processed and paid. While the size of what constitutes a large payment will differ according to the company, there should be some level that will trigger a confirmation request.
But it’s important that the confirmation not come by simply replying to the email. In these scams the “ReplyTo:” addresses are set to go back to the scammer. Instead, you should insist on verbal communications or at least some method besides email.
It also helps to instill a certain level of suspicion into the folks in the accounting department. Requests for expedited payment and confidentiality should be red flags, and should generate a call for confirmation. While it’s true that some disbursements do require a fast response and some level of discretion, it’s highly unlikely to require speed such that someone can’t make a quick phone call.
The notice from the FS-ISAC in the link above gives a series of recommended steps that you should review, including a requirement for a second signature on large payments and a means of communicating with your bank when large payments are requested.
Ultimately, however, your accounting department is your first line of defense. They need to be aware that this scam exists and that it’s going to ask for money with a minimum of interaction with the rest of the company.
“The problem with phishing attacks like this is that it manipulates the normal command channels in an organization, using almost perfect looking spoofed emails from the CEO,” Sjouwerman said. “The bad guys prey on this, and use it over and over. Employees need to stay on their toes with security top of mind to stop extremely expensive scams like this. Security awareness training is a must these days.”
Editor’s Note: This article was updated to correct the spelling of the name of Stu Sjouwerman, CEO of security training firm KnowBe4.