Email scams proving costly for businesses

March 2016

Figures released by the FBI confirm that CEO email schemes are becoming more effective and more prevalent.

Over the past two years an email scam has cost businesses €1.8 billion globally according to the United States of American’s Federal Bureau of Investigation (FBI).

The scam which is known as either the business email compromise scheme or the CEO email scheme sees criminals impersonate the email accounts of chief executives in order to convince employees with access to the company’s finances to transfer sums of money to bank accounts in Asia or Africa.

More than 12,000 businesses worldwide have been targeted by email scams between October 2013 and February 2016 according to figures released by the Internet Crime Complaint Centre. The centre is an intelligence and investigative group within the FBI that tracks computer crimes. The attacks cover 108 countries, targeting businesses both big and small and the threat is growing.

The average loss from such an attack is €110,000 but some companies have been tricked into sending as much as €83 million. The attack usually follows this pattern:

1. criminals set up a fake email account in a company CEO’s name or phish their genuine account;

2. social media is checked to discover the best time to carry out the scam;

3. an employee receives an email from the CEO which looks authentic, preparing the grounds for the transfer;

4. fake emails and phone numbers for lawyers are set up to support the scam;

5. the employee transfers the funds, potentially worth millions, to an account in Asia or Africa.

Once the money is transferred to these accounts it is as good as gone. In one instance of note the FBI obtained a court order to seize funds held at Shanghai Pudong Development Bank but was told that the account had been closed and the funds transferred.

This type of scam often results in the company having little or no protection. Medidata Solutions and AFGlobal both tried to use cyber insurance to cover email fraud but were unsuccessful. Policy coverage is more likely to be invoked if a company’s computer network is hacked than if an authorised transfer was made after a fraudster impersonated an executive using a deceptive email address.

Other companies have also tried to recover money from their banks, arguing that the bank should have questioned the transfer. However, banks are generally not required to make reimbursements if the transaction is made by an authorised person.

Such schemes may seem unsophisticated when compared to complex hacking schemes, although it is these schemes that are most likely to sidestep basic security strategies used by banks and their customers to minimise risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in this scenario, the victim is tricked into doing it for them.

To protect against such attacks companies are advised to implement two-factor authentication policies for emails and/or establish communication channels, such as telephone calls to verify significant transactions.

March 2016

Related Articles

Public sector 20 per cent remote working target

The cloud is transforming public services: Ireland is poised to lead by example

Transforming the future of digital public services

eInvoicing: Smart collaboration to drive adoption among suppliers