Protect Your Company from “CEO Fraud”

Matt BauerBusiness Insurance, Cyber Security

Remember the e-mails claiming you’d won the Nigerian lottery, full of misspellings and bad grammar and requesting your bank account information so funds could be wired?  These amateur e-mail scams are a thing of the past and a new, rapidly growing and sophisticated threat is targeting businesses worldwide and has already resulted in more than 7,000 companies in the U.S. losing over $740 million since 2013.

Business e-mail compromise (BEC), also known as “CEO fraud,” is a financial scam that targets companies of all sizes that utilize wire transfers to pay foreign suppliers.  “CEO fraud” usually takes place when legit business e-mail accounts are compromised utilizing social engineering or computer intrusion techniques.  According to the FBI’s Internet Crime Complain Center (IC3), there has been a 270% increase in BEC victims since the beginning of 2015.  A majority of the reported fraudulent transfers have gone to Asian banks in China and Hong Kong.  

A recent example outlined by the FBI occurred when the accountant of a U.S. company received an e-mail from her CEO, who was travelling abroad on vacation, asking her to transfer funds for an important acquisition by the end of the day.  This wasn’t an unusual request and the e-mail said the accountant would hear from a lawyer with further details.  The lawyer got in touch via e-mail and sent what appeared to be a legitimate letter of authorization with the CEO’s signature and the company logo, with instructions to wire more than $737,000 to a bank in China.  The accountant wired the money but was shocked when she talked to her CEO on another matter the next day and mentioned everything had gone through, as the CEO knew nothing about the request.

So how can you ensure your company doesn’t become a victim of “CEO fraud?”

  • Use multiple means of communications to verify a requested transfer is legitimate.  For example, if the request came by e-mail, phone the person who sent it to verbally validate it.  And be sure to use known phone numbers associated with that person versus whatever is included in the e-mail.
  • Consider implementing an approval process for large payments that requires two executives sign off on large wire transfers.
  • Be suspicious of requests that urge immediate action or secrecy.  Consider holding customer requests for international wires transfers for an additional time period to validate their legitimacy.
  • Carefully review and scrutinize all requests for transfers of funds that are received by e-mail.  Look for red flags, like a slightly different configuration of an e-mail extension; i.e., an e-mail ending in .co instead of .com or an e-mail address that utilizes a hyphen instead of an underscore, like legit-company.com versus legit_company.com. 
  • Be careful about posting financial and personnel information to your company’s website and social media.  For instance, listing international conferences your senior leaders will be attending could present an opportune time to conduct the scam.

With the right knowledge, checks and balances and scrutiny, you are less likely to fall victim to a BEC scam.  However, if your company is impacted, act quickly!  Immediately work with your financial institution to contact the financial institution where the fraudulent transfer was sent and then contact the FBI and file a complaint with the IC3.

Matt Bauer

President

mbauer@srfm.com