During a panel discussion on awareness training at the recent SC Congress security conference in Toronto two weeks ago an attendee described how an organization had been suckered for over $300,000 through the so-called business-executive scam.
The manโs client, a financial institution had been curious why a customer hadnโt been making their regular payments for some months. The institution finally queried ย the customer, who said, โWell, I got your email and switched ย to the new account.โ
Here the chuckling started.
What new account? Well, the email said there had been a system problem, so the institution had ย to create a new bank account for the customer to send payments to. The customer though it was strange and looked into it, so the scammer attacker even sent an official looking letter with the signature of a finance official from the U.S. Securities and Exchange Commission to verify the change. (It was later discovered that the letter included cut and pasted SEC boiler-plate paragraphs.)
The story gets better. The attacker shortly got in touch with the contact at the institution saying the money still hadnโt arrived. โOh,โ said the scammer, โsorry about that itโs THIS bank account.โ
More laughter.
โThis went on for three months,โ said the attendee, โAnd each of these payments were more than US$100,000.โ
โMan, you canโt patch stupid like that,โ said one person.ย โBut,โ replied panellist Jeff Stark, director of cyber security mitigation services at CIBC, โawareness training should have stopped that, because weโve been telling people if you get something like that pick up the phone and call the institution. So awareness training failed.โ
Not so, said the moderator: This was a governance problem.
Whoeverโs problem it is, Canadian organizations have do do better.
What reminded me of this incident is a new blog from Trend Micro, which quotes FBI figures that over the past two years scams like this ย have caused at least US$2.3 billion in total losses to approximately 12,000 enterprises around the world. Theย average loss to an organizations is US$130,000 per scam.
Executive scams often involve spoofing an executiveโs email to look like an official communication. The message may include a malicious attachment or a phony invoice. or an order for a staffer to do something โ transfer money to a supposed legitimate partner or to the person named in the invoice, or send a copy of employee or customer accounts with sensitive information.
Research shows that โ understandably โ the targets of these scams typically are the CFO and those under in the finance department.ย Most malware used in BEC schemes โ which may include keyloggers โ can be purchased online for $50, are even available for free, the blog notes.
Technology alone isnโt the answer. While scanning attachments is part of the solution, along with awareness in looking for unusual requests from upper management for personal/customer information or large transfers, so is governance โ rules preventing financial transfers of money without verbal confirmation and, possibly, written approval.
That means the chief risk officer โ or the equivalent โ along with the CISO have to work together to meet this challenge.