Business email compromise, also known as CEO fraud or whaling, is when cyberthieves use email to infiltrate an organization’s processes, gain access to confidential data, and steal money from the organization using wire fraud.
Often, hackers use social engineering to impersonate an executive staff member—typically the CEO or CFO—and request money transfers from their finance department or commit scams known as email account compromises. These scams are very profitable because they only need to succeed a few times to provide a return on investment.
Below, we outline the steep fraud increase during COVID-19, how cyberattacks are often committed, and steps your organization can take to help prevent and respond to a threat.
Increased Fraud Instances During COVID-19
In September 2019, the FBI posted a public service announcement noting a significant increase in the number of scams targeting small-to-large organizations. Scams were reported in all 50 states and 177 countries. Fraudulent transfers were sent to at least 140 countries, netting the scammers $26 billion between 2016 and 2019.
Then came 2020 and the COVID-19 pandemic, which has resulted in a 300% increase in the number of scams reported on a daily basis, according to the FBI.
Early in 2020, scammers focused on targeted campaigns related to the pandemic, including stimulus payments, unemployment, Paycheck Protection Plan (PPP) loans, benefits, and data stolen from remote employees—all different ways to scam organizations and people out of their money.
2021 Trends and Outlook
Cyberattacks on remote workers are likely to continue in 2021; organizations have found that working remotely has increased productivity and cut costs.
Scammers focused on remote employees in 2020 because home networks aren’t as secure as corporate networks. As the number of devices connecting over corporate VPNs increases, there are more systems for attackers to try and exploit. Remote workers can also be more easily distracted, making them more likely to click on malicious links and fall victim to social engineering attacks.
Examples of Email Fraud
Here are five of the most common email cyberattacks seen during the COVID-19 pandemic.
Situation 1: Making New Reoccurring Transfers
A hacker took over a CFO’s email account and sent an email to the individual in the organization who was in charge of wire transfers. The email came from the CFO’s actual email account and asked for a recurring monthly wire to be sent to a new bank account number. The individual processed the wire without confirming the new bank account number with the CFO.
In these types of scams, it’s possible for the perpetrators to route return emails from the individual in charge of wire transfers directly to the deleted-items folder. This means that attempts to confirm the changes via email might not ever be seen.
Situation 2: Changing Your Organization’s Bank Accounts
A scammer sent emails using a fake email address that appeared to be from a CFO. The email appeared real, but it had one or more minor changes that weren’t noticed by the recipient. The email asked for a wire transfer to be sent to a current vendor but with a new bank account. The wire processor initiated and sent the wire without confirming the new bank account with the CFO.
Situation 3: Sharing Customer Information
Sometimes it isn’t money scammers are after, but information. For example, a scammer sent emails that appeared to come from the controller to midlevel employees with access to customer information. The email address was fake but appeared real, and the employee sent customer information to the scammer.
Situation 4: Paying Third-Party Contractors
A scammer called an accounting clerk pretending to be someone from the construction company the clerk’s company had hired for an ongoing project. The caller said they hadn’t received payments for the last two months.
The scammer convinced the clerk they had changed their bank account information, sent a fake invoice that looked like it came from the real construction company, and stated the money should be sent to the new account number. The company ended up paying the scammers more than $1 million. They didn’t know about it until the construction company let them know they hadn’t been paid.
During the investigation, it was determined that the scammer had compromised the company’s email account and then played the waiting game as they read through emails and planned the timing of their attack. Then, with fake emails and a couple of phone calls, they were able to make off with a lot of money.
Situation 5: Updating Employee Bank Accounts
Human resource (HR) departments, like finance, are also targeted by scammers. For example, scammers may try to get HR personnel to change the bank account numbers for direct-deposit paychecks.
In a typical example, HR or payroll representatives receive emails appearing to be from employees requesting to update their direct-deposit information for the current pay period. The new direct-deposit information provided to HR or payroll representatives generally leads to a prepaid payment-card account.
In all of these situations, the scammers targeted organizations based on information they could find online from sites such as LinkedIn or the organization’s website. They used this knowledge as well as information from other data breaches to build a profile on the organization and its executives.
The scammers then either infiltrated an executive’s email account or sent an email using an email address that looked like the executive’s email address but with one letter changed. They used language, such as urgent or right away, to pressure the victim into completing the transaction quickly. They may have followed up with more emails and even phone calls to persuade the target.
Eventually, they provided the wiring instructions or some other instructions to obtain access to the funds or the confidential data.
How an Organization Can Protect Itself
A successful business-email-compromise attack relies on a willing victim, but visibility into the attack, email protection, and user awareness can help mitigate or thwart an attack.
Security awareness training, financial-accounting internal controls, and proper cybersecurity controls can also help prevent these attacks from occurring. Here’s how to best approach each of these items to set an organization up for success.
1. Security Awareness Training
Spend time training end users. End users are the weakest link in any security program because they’re the ones receiving malicious emails or getting phone calls asking for funds to be transferred. Awareness training is only the first step in an overarching security program, but it’s a necessary step that’s often overlooked.
It takes time to establish and commit to an awareness-training program as well as the backing of management, HR, and information technology. Ongoing security awareness is part of many compliance requirements, such as the Payment Card Industry Data Security Standards (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA). Organizations subject to these regulations understand the need for awareness training to keep security top of mind for end users and help protect sensitive data.
Security awareness training should be provided to every new hire and instituted as an annual refresher course. It’s also imperative that other methods are used to frequently remind end users about safe computing habits, such as sending a monthly email reminder, providing awareness posters in the break room, or conducting phishing tests.
It takes time and commitment to provide this training, but, when done properly, it can raise awareness for end users and reduce the risk of a ransomware or phishing attack.
2. Bolster Your Internal Controls
Strong internal controls are more important than ever in this environment. Organizations can benefit from considering policies that include the following controls:
- Limit access to a very small number of individuals who can initiate wire transfers.
- Verify unique passwords are being used to access wire-transfer software and require frequent changes.
- Set limits on each user’s authority. For example, the same person shouldn’t be able to enter wire instructions and approve wires. This process should require the participation of two separate individuals.
- Consider CEO or CFO approval on any wires over a certain high-dollar amount, such as $50,000.
- Explore a secure signature system or signed document to preapprove all wires. A secure system allows authorized individuals to send payment approvals from their desks without actually signing for the transaction on hard-copy documents.
- Implement telephone or dual-factor authentication procedures with the requestor before any wire transfer is made.
- Implement additional levels of authorization before setting up a wire for the first time to an external party and whenever the bank account routing numbers are changed.
- Require proper documentation for all wire-transfer journal entries and require a second person review of these entries.
- Review user access reports to verify they’re accurate and up to date and that user access levels are appropriate based on user roles.
3. Establish Strong Cybersecurity Controls
Strong cybersecurity and technical controls are essential; they can help prevent scam emails from ever arriving in an employee’s inbox, inform an employee of potential issues, or provide strong authentication requirements to email platforms and sensitive data.
Controls to Establish
- Block emails that use spoofed or lookalike domain names.
- Tag external emails by adding a banner or notification to inform recipients that the email isn’t from an internal domain.
- Use Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) settings to authenticate mail senders and protect against spoofing and phishing emails.
- Detect brute-force attacks against web-based mail to identify potential compromises.
- Require multifactor authentication for all email accounts.
- Identify corporate accounts that have been identified in a data breach and ensure users change and create strong passwords.
We’re Here to Help
For help determining the best way to strengthen your organization’s cybersecurity and protect against increased email fraud, contact your Moss Adams professional.
For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: