This sponsored post is produced in association with Centrify.
This past February, communications-app maker Snapchat posted a public apology to its employees on its blog, stating that it had fallen victim to an increasingly common email scam which resulted in its payroll department sending employee-payroll information to cybercriminals. Employees were notified and offered two free years of identity theft-protection services.
In June 2015, network-hardware maker Ubiquiti Networks fell victim to a similar email scam, which resulted in $46.7 million of funds being transferred to cybercriminals. The company was able to recover about $8 million and hoped to recover nearly $7 more through legal means.
And this past January, Belgian banking firm Crelan announced that it lost 70 million euro (which, at that time, equated to approximately $76 million US) to a similar email scam. The funds were discovered to be missing after an internal audit.
What’s going on?
The stakes have grown immensely. Cyberthieves have switched from targeting individuals with emails phishing for passwords and money to using email to dupe businesses and corporations out of sensitive data and large sums of money.
These black hats are using what’s called “business email compromise” (BEC), which usually spoofs an email message from a C-suite exec to the finance department requesting an urgent wire transfer or check to an outside client or vendor. The scam is also often referred to as “CEO Fraud,” because, according to a Trend Micro post this past June, the CEO is in the position most commonly impersonated (31 percent of the time).
Just how big is the BEC problem? In June, the FBI issued a public-service announcement with figures from its Internet Crime Complaint Center (IC3) revealing that there have been 22,143 victims across all 50 states and over 100 countries reporting financial losses of more than $3 billion. The announcement also indicates that “fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong,” so there’s not one main source for this scam (as we saw with early email scams targeting individuals often coming from Nigeria).
The IC3 highlights five main scenarios for the BEC scam:
- “Business working with a foreign supplier,” also often known as the “the bogus invoice scheme”
- “Business [executive] receiving or initiating a request for a wire transfer,” with the compromise of an executive’s email through spoof or hack
- “Business contacts receiving fraudulent correspondence through compromised email,” with an employee’s email being spoofed or hacked
- “Business executive and attorney impersonation,” where the executive or attorney being impersonated in a phone call or email
- “Data theft,” which is a newer addition to the list that elicits sensitive internal data, such as employee W-2 tax forms or other personally identifiable information for employees and/or users
No one is immune from this scheme. The “Annual Payments Fraud and Control Survey” from the Association for Financial Professionals (AFP) this past March reported that a whopping 73 percent of all U.S. American businesses experienced a payments fraud attack in 2015, which was up from 62 percent in 2014.
Even security experts get hit
Enterprise-security software company Centrify almost fell victim to the scam in February 2014. CEO Tom Kemp detailed in a blog post how the company’s vice president of finance received an email, seemingly from CFO Tim Steinkopf, which appeared to forward a request from Kemp for a nearly $360,000 wire transfer to be sent to an outside company. Luckily, the company had policies in place for wire-transfer approvals that stopped the scam in its tracks. Careful perusal of the email indicated that it came from a “centrilfy.com” domain (note the extra “L” in there that most people likely wouldn’t notice), showing the lengths some of these criminals will go to throw off potential victims.
Kemp provides some measures that companies can take to insulate themselves from BEC scammers trying to part them from their corporate funds:
1) Educate your employees about BEC and other schemes, so they’ll be on the lookout for suspicious requests and improper email addresses, such as messages seemingly from company executives with the domain name slightly off from the actual domain, or requests for wire transfers that route through different “reply-to” email addresses (often to open-source email accounts, such as Gmail). Make sure your own people are your front line of defense.
2) Utilize multifactor authentication (such as Centrify’s own Identity Service product platform) on system logins and in order to utilize critical apps within the company, to lessen the chance that scammers will compromise employee access to your network.
3) Enforce secondary approvals on wire transfers and major expenditures, perhaps with at least one of the approvals needing to be signed off in person.
4) Implement rules to ensure that any wire transfer is connected to a purchase order or other official documentation before it can be completed.
5) Monitor domain registrations to check if people or organizations are grabbing domain names similar to your own, which will lessen the chances that someone will spoof your company’s brand in such scams.
6) File complaints with the FBI’s IC3 if you have fallen victim or someone attempts to use a BEC scam on your company. This may help the FBI find and neutralize the perpetrators
Kemp hosted a webinar on BEC and shared his firsthand account as a target of this scam and tips to avoid falling victim to it. Register and boost your company’s awareness of this growing problem before it becomes your own.
Sponsored posts are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact firstname.lastname@example.org.