Chances are your CEO isn’t a fraud. But, the email in your inbox that looks like it is from your CEO really might be.
The FBI calls this cyber threat, “business email compromise.” Some others call it “CEO fraud." A single incident can cost a small company tens of thousands of dollars. As cyber security experts, we see more of it every day. The worst part is your company’s computer security can be the best there is and still fall prey to this threat. This effective, lucrative scam requires no vulnerabilities in your computer network, nor technical capabilities of the criminal.
Business Email Compromise Explained
The most frequent fraud we are seeing right now is an email that looks like it is from the CEO to the CFO or controller of the company requesting a money wire. The request can be for large amounts like $12,000, $38,000, $75,000 or more.
Often, the email will say it is for a highly confidential acquisition or for equipment that is needed for a rush job. The cybercriminals behind the email will do research. They are often able to find out the industry and organizational structure of the company in order to email the appropriate person a very believable story.
Another popular tactic is for a criminal to send an email pretending to be from an existing vendor, stating that the vendor has changed banks. The scam email contains new wiring instructions that go to the criminal’s bank account. Seriously, this scam cost one company nearly $40 million.
Business Email Compromise Tips
Unfortunately, there aren’t too many technical solutions that can sniff out this kind of threat. The best protection is education and awareness. Just by reading this blog post you are arming yourself. But trying to get everyone to read, understand and be on the lookout for this scam is tough, so we have a few more suggestions:
- Configure your email system to flag inbound email that claims to be from your domain but isn’t. If it is being sent from outside your organization it is classified as “spoofed” to alert your users to be suspicious. (If you are an Intrust IT full-service client on Office 365, this has already been done for you.)
- Conduct cyber security training for your employees. (If you are an Intrust IT full-service client, we have free training we will conduct for you, just let your account manager know.)
- Set up regular “phish testing” of your employees. This is where you send your employees phishing emails. If anyone clicks a link on a phishing test email, that employee is then auto-enrolled in online security training. (Intrust IT offers this service as well.)
- Make sure you have secure communications channels other than email. Instant messaging like Skype for Business, an intranet like SharePoint, or a corporate social network like Yammer allows employees to verify emails outside of email. If you use Office 365 you probably already have rights to all three of these. Intrust can get them set up and show you how to use them.
For more information on how you can use mail rules in Office 365 to tag and alert you to emails with spoofed senders, continue reading here.