The festive season that ended 2018 has seen less ‘ho ho ho’ and more ‘oh no’ for many tax professionals and payroll administrators. The problem stems from phishing attacks where monies are allocated to employee accounts which are – to put it simply – fraudulent. On the face of it the scam by hackers is simple. They request – on behalf of an employee that their bank account details be changed, and deposits made. It may seem like the ploy is transparent – but it is in fact a highly sophisticated attempt at gaining funds – which are deposited into ‘burner accounts’ (spoofed emails) – and it targets small and medium sized enterprises. The so called ‘CEO Fraud’ takes advantage of the fact that these businesses usually have less checks and balances than larger organizations – and are hungry for that next deal.
The emails are not limited to a particular industry or employer though the IRS in the United States has received reports that tax preparers are among those affected.
Industry estimates that business email compromise has hit over 80,000 businesses globally in the last 5 years. By the first of the year, global cybercrooks will have garnered over $13 billion.
Some key elements of phishing attack emails are qualifying questions, like ”If I needed you to send some money in a hurry, could that be done?” As well as an added sense of sense of urgency, is provided by what is known in sales game as describing an “impending event” – “I can get this deal closed today, but after that the client is on a plane to Sydney.”
Paul Bischoff, privacy advocate with Comparitech.com explains just why this latest scam has been labelled as ‘CEO Fraud’.
“Businesses and tax professionals are prime targets for phishing, a scam that’s cheap and low-risk for criminals that stand to steal large amounts of money. The agency warns of scammers impersonating both employees and company executives to trick payroll departments and tax preparers into changing the direct deposit routing number for an employee’s bank account.”
Losses can devastate the business. It is estimated that around two or three hundred million dollars vanished into the pockets of terrorists, drug dealers, rogue governments and cybercrime syndicates during festive season 2018.
Verify – Before making a decision
It’s not only employees and by proxy the company they are employed by (through no fault of their own) that pose a risk for what can only be described as identity theft. The concept of CEO fraud or alternatively Business Email Compromise (BEC) has spread to other approaches for defrauding companies. Emails and communication from suppliers must also now be treated with caution. In fact the FBI has reported that wire transfer schemes such as this have led to losses for individual companies that affect the bottom line by as much as $100 million – total losses of around $12.5 billion.
Bischoff provides some advice to companies about how to avoid the effects of these sorts of cyber frauds which actively target the finance department.
“The best way to guard against this scam is by requiring any such requests for payroll or other financial changes to be verified by a second form of identification. This can be as simple as a phone call to the employee or executive to double check that such a request is legitimate, although be sure not to use a phone number provided in the email.”
Colin Bastable, CEO of Lucy Security, advises that, “All security starts with a policy – businesses should have an agreed policy for such situations, and they should train their staff accordingly. CEOs should hire strong people who are willing to stick to the policy under pressure. Of course, defying the CEO is a great way to get fired in American business, and the cybercrooks rely on this.”
A new style of cyber fraud
The question that is plaguing CEOs and their senior finance employees is just how such a seemingly transparent information security risk would become a source of such concern? How exactly does a finance department become subject to phishing scams like this? Why do the usual checks and balances fail when it comes to spoofed emails?
The answer lies within how third parties gather data on trusted employees – and the increasing power of companies that are now known as data brokers.
The approach is deceptively simple. The scammers simply register a free webmail account. However, they need the details of an employee. To do that they enlist the help of commercial data providers. Those companies provide information to marketers that are interested in leads – and the amount of data they have is frightening – at least to anyone who is concerned with privacy.
An American company based out of San Francisco provides just the sort of information that these scammers needs. A Group from Nigeria calling themselves ‘London Blue’ has exploited that service and obtained information on users including name, company, title, work email address, and personal email addresses. Once they have that information the CEO fraud scam proceeds. The targets are usually financial officers (CFOs in the majority) – those are people who have ability to transfer funds – with little or no oversight when it comes to day-to-day business.
The role of data brokers
The shadowy activities of data brokers have usually led to them assuming a very low public profile. But their activities ate now becoming ever more important to those who are engaging in these sorts of business email compromise scams and CEO fraud. The role of data brokers in providing scammer with information on high profile business people including those targeted in this type of CEO Fraud is attracting the attention of regulators – especially in the EU. It has become apparent that the activities of data brokers may be in contravention of the new General Data Protection Regulation (GDPR) – which prohibits companies from taking advantage of the lack of knowledge of consumers who may not be aware that their personal data is being harvested and manipulated. It is this data that allows for the spear phishing attacks to take place – provides a starting point for the collection of data that will be further bolstered by open source research.
The insurance issue
What makes these attacks even more potentially devastating is the insurance implications.
In the words of Bastable: “These socially-engineered attacks are devastating because the spoof emails have all the appearances of being real, and the victims voluntarily hand over the money. Why would the insurance company to cover the loss?”
It has become clear that the role of data brokers in providing information to those who intend on committing CEO fraud and other sorts of spear phishing attacks may be becoming problematic. Regulators, not only in the EU, but further afield are paying close attention to the use and sale of personal data. At the same time companies need to set in place the checks and balances that are required in order to mitigate the effects of this type of malicious threat to information security.