The name “CEO Fraud” isn’t as on the nose as one could hope, but it’s a lot easier to say than “C-Level/ Executive Team/ Finance Department/ Really Anyone with the Ability to Wire Funds Scam”. The FBI opts to call the scheme “Business Email Compromise” (or “BEC”) and defines it as a “sophisticated scam in which a criminal actor uses email to impersonate a business executive or other employee to request fraudulent payments.” They’re quick to point out that the scam goes beyond wire transfers, as efforts to obtain employee payroll information (which includes a lot of personally identifiable information) are now common. The latter, in theory, is just as or more valuable as a wire transfer, as the information can be sold on the dark web.

In July of 2018, the FBI released a Public Service Announcement about Business Email Compromise. The FBI has noted that the scam has been reported in all 50 states and in 150 countries, and the losses are growing as an alarming rate, increasing 1,300% since 2015. The FBI estimates that US businesses have lost billions of dollars to BEC / CEO Fraud.

In an interview with The Washington Post, FBI Assistant Director Scott Smith explained specifically what scammers are doing to successfully pull off their scheme, which included reviewing SEC records and the company websites for the correct C-Level person to target, pulling annual reports to learn what companies the target does business with to impersonate the vendor, and registering domains that are similar to the target’s company name. In short, the scammers are evolving, and with their success, it’s unlikely this scam will wind down anytime soon.

While you can’t prevent being targeted, you can prevent being a victim. Here are some tips:

Educate, Educate, Educate: There is no such thing are too much user training around cyber security. Update your team on common threats, the red flags they should look for in emails, and ensure they’re clear on the processes if they believe they were compromised.

Engage a Third Party to Test Your Staff: Matsco recommends annual phishing campaigns (and subsequent training) for all companies, and more frequently for companies that are frequent targets.

Review & Improve Your Risks / Exposure: this may include removing the staff’s bios on your website, creating a social media policy that requires private accounts (including hiding your connections on LinkedIn), and identifying the employees who are most susceptible to falling victim to phishing emails or social engineering, and providing individual coaching.

Review & Strengthen Your Wire Transfer Processes: this includes calling the vendor who requested a change to their bank, verifying internal requests in person, implementing two factor authentication, and ensuring there are two parties responsible for wires (one to set them up, one to approve them).

Beef Up Your Technology: consider adding a banner on emails from outside your organization, require two factor authentication for logging into email, and check the settings of your email spam provider as most have phishing add-ons / CEO Fraud settings. 

There are five main scenarios the FBI has compiled by which the BEC / CEO Fraud is perpetrated, which you should be sure to review with your team:

# 1: Business Working with an International Supplier
A business that typically has a longstanding relationship with a supplier is requested to wire funds for an invoice payment to an alternate, fraudulent account.

# 2: Business Executive Receiving or Initiating a Request for a Wire Transfer
The email accounts of C-Level targets are compromised, including spoofing or hacking the account. A request for a wire transfer from the C-Level account is made to a second employee within the company who is typically responsible for processing these requests. Note: the FBI refers to this specific scenario as “CEO Fraud”, though the name now encompasses general business email fraud.

# 3: Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail
An employee’s personal e-mail hacked and requests for invoice payments to fraudster-controlled bank accounts are sent to multiple vendors.

# 4: Business Executive and Attorney Impersonation
Victims are contacted by fraudsters who identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters.

# 5: Data Theft
Fraudulent requests are sent utilizing a C-Level compromised email account, but instead of wires, they are seeking personally identifiable information. Typically, human resources, bookkeeping, or auditing departments have been targeted through the compromised C-Level email account.