The FBI has issued an alert, warning about a dramatic increase in CEO-fraud email scams: To the tune of a 270% increase.
This alarming global epidemic, otherwise known as “whaling,” involves attackers posing as a top company exec in order to trick employees into wiring funds to a scammer bank account—or releasing sensitive information, like W-2 tax forms. The FBI estimates that these scams have cost organizations more than $2.3 billion in losses over the past three years.
“The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney or trusted vendor,” the alert warns. “They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”
Victims range from large corporations to tech companies to small businesses to non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments. From October 2013 through February 2016, law enforcement received reports from 17,642 victims. Law enforcement globally has received complaints from victims in every US state and in at least 79 countries.
Rohyt Belani, CEO and co-founder of PhishMe, said that even cybersecurity companies aren’t immune. PhishMe’s VP of finance received this exact type of CEO-fraud email scam last year, where an email appeared to be from Belani, requesting a wire transfer. In that case, the effort failed.
“Everyone in the security industry knows that the costs are likely higher [than the FBI’s $2.3 billion], as many cybercrimes go unreported every year,” Belani said. “This latest FBI warning, alongside spikes in ransomware attacks on several hospitals and businesses, and the catastrophic attacks on organizations such as Sony, the OPM and Target are making one thing incredibly clear—cybercriminals and nation-state attackers can easily slip past porous perimeter defenses with phishing emails to attack people’s inboxes directly; people who aren’t normally prepared to recognize these threats and help employers defend against attacks.”
Obviously, if employees are unsure of the legitimacy of a transfer request, they should contact IT and confirm verbally or outside of email with that executive or vendor for verification before proceeding.
Belani added, “we must remember to fortify employees as the final line of defense against these types of attacks by providing the proper conditioning needed to spot and report malicious emails. Not acknowledging employees as part of an organization’s security posture, is akin to not having the line of defenders standing between the soccer goal and the opposition when the latter is taking a free kick.”
Jonathan Sander, vice president at Lieberman Software, pointed out that leadership has a role to play too.
“There is a question of how much power employees have to cause damage, and there is also a question of how executives expect to be able to give directions,” he said. “In several of the cases where these fake CEO emails prompted employees to do the wrong thing, the first thing that occurred to me was that the employee should never have been able to simply email out so much data. The employee shouldn’t have been able to access that much data without some sort of oversight kicking in. The fact that a single employee, for any reason, could grab so much data and simply send it to anyone, regardless of who they think that person is, is a scary prospect when you stop to think about it.”