The con-in-the-email

Companies around the world are losing millions of dollars a year to scammers posing as CEOs or CFOs over email.

In June 2015, Ubiquiti Networks, a San Jose, Calif.-based manufacturer of wireless data communication products, disclosed in a quarterly SEC filing that it had been the victim of a US$46.7-million criminal fraud commonly referred to as CEO fraud, bogus boss fraud, whaling, the man-in-the-email scam or business email compromise (BEC).

“The incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department,” Ubiquiti wrote in its 8-K form. “This fraud resulted in transfers of funds … held by a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.”

Robert Pera, founder and CEO of Ubiquiti, didn’t disclose details of the scam. The company did say, however, that it anticipated recouping about US$15 million and was working with the FBI to regain more than that amount.

The type of con inflicted on Ubiquiti was no isolated event. In June, the FBI released a public advisory warning of a dramatic increase in BEC scams. It noted that “the scam has been reported by victims in all 50 states and in 100 countries.” From October 2013 to May 2016, law enforcement received reports from 22,143 victims. This amounted to nearly US$3.1 billion in losses. Since January 2015, the FBI has seen a 1,300% increase in identified exposed losses.

In November 2015, a CBC News investigation said Canadians were losing hundreds of millions of dollars a year to BEC scams. “It came on the scene in a massive way, from virtually nothing to $19 million in 2014,” Daniel Williams of the Canadian Anti-Fraud Centre (CAFC) told CBC News. “Research by the CAFC and police suggests that less than 3% of these email scams ever gets reported, meaning the incidents and the losses are probably much higher. Most probably in the range of $500 million to $1 billion.”

The con starts with an email that appears to be from the boss of a company to a member of the finance department, asking him or her to make a transfer of funds. “Once the finance person replies, the emailer employs confidence tricks to get them to transfer a large sum of money into another bank account,” says Irish IT consultant Richard Greenane. “It is simple but very effective.” One ruse, he said, might involve telling the finance department to expect a call from someone with details of the transaction. Of course the call is bogus too.

The sophisticated scam is typically perpetrated on businesses “working with foreign suppliers and/or businesses that regularly perform wire transfer payments,” the FBI said. The fraudulent wire transfer payments sent to foreign banks are often transferred several times but are quickly dispersed. “Banks in China and Hong Kong are the most commonly reported ending destination for these fraudulent transfers.”

Since its inception, the scam has evolved from criminals posing as a CEO or CFO to “include emails from criminals posing as lawyers, asking them to make immediate wire transfers for time-sensitive transactions,” the bureau added.

Victims are reluctant to detail how they were scammed but it’s apparent, from the limited information disclosure regulations require them to provide, that Ubiquiti was by no means the only business to suffer a substantial BEC loss.

Early this year, FACC Operations GmbH, an Austrian company that produces airplane parts for companies such as Airbus and Boeing, announced a cyber-incident during which cyber-fraudsters managed to steal about €50 million from its bank accounts, reported. The company only said that it was a “victim of a crime act using communication and information technologies” that targeted its financial accounting department. Most of the money, it was later revealed, was siphoned to bank accounts in Slovakia and Asia.

In May, FACC announced it had fired its long-time CEO, Walter Stephan, as a result of the company having been scammed, which it said totalled €52.8 million, of which €10.9 million had been recovered as of that date (it had previously fired its CFO). The BEC attack had serious repercussions for FACC, which “reported total losses of €23.4 million for the whole financial year,” the website reported. “A big chunk in this was the €40.9 million loss from the online scam incident.”

After FACC came forward as a BEC victim, Belgian Bank Crelan, Crédit Agricole’s Belgian subsidiary, announced that it, too, had lost more than €70 million to the scam.

How can fraudsters pull off these scams? There are likely two reasons: they employ social engineering techniques to acquire extensive research on target companies so they know who to contact and how to speak the language of the firm; and they exploit the tendency of employees to respond, often without thinking, to a request they believe has come from a CEO or CFO.

“Why are social engineering attacks so successful? It isn’t because people are stupid or lack common sense. But we, as human beings, are all vulnerable to being deceived because people can misplace their trust if manipulated in certain ways,” Kevin Mitnik, a former hacker who now works as a security consultant, wrote in his book The Art of Deception — Controlling the Human Element of Security. “The social engineer anticipates suspicion and resistance, and he’s always prepared to turn distrust into trust. A good social engineer plans his attack like a chess game, anticipating the questions his target might ask so he can be ready with the proper answers.”

One of the most common social engineering tactics is to use the phone and flatter, cajole or intimidate a victim into providing information such as a company’s passwords.

Vice magazine interviewed such a person, whom it referred to as “Ghost.” He explained that a lot of social engineering happens over the phone. “People will give away their lives without thinking because someone on the other line has asked what type of antivirus you use. You should never give away anything over the phone.”

According to Ghost, the most effective hacker strategy is to establish rapport with the target, especially by using humour. “If you can make someone laugh within 30 seconds, I’ve already shattered several barriers,” he said.

Prior to the first calculated call, often directed at the receptionist (who is typically helpful to callers), he develops a profile of his victim. He gets the target’s name, without identifying himself. He then searches social media to learn as much about the person as possible, information then used to develop rapport with his victim. As an example, he found through social media sites that a woman he was targeting liked the show Dexter. “This kind of stuff makes it easier for me to start planning how to chat her up,” he said.

Typically, the people targeted by BEC scammers are using open source email and are responsible for handling wire transfers within a specific business, according to the FBI.

Protecting a business from BEC fraud starts with the most obvious undertaking: educating everyone in a company, at all levels of employment, about how social engineers operate. Training sessions should be repeated on an annual basis and should be part of the orientation of any new hires. As passwords are gold to BEC fraudsters, consider forbidding employees, under any circumstance, from sharing a password over the phone or by email, especially the latter. Any password exchange should be handled in person or only after rigorous verification of the legitimacy of the requester.

Equally important is the implementation of effective controls to verify incoming cheques and to ensure proper clearance procedures have been followed before any funds are transferred by wire. The controls have no meaning, however, if the culture of a firm allows senior executives to override them. Social engineers prey on this weakness in a system. If they learn that certain CEOs are known to intimidate staff into jumping at their commands, they are more likely to target the companies where that culture exists.

Although this might run contrary to existing practices, a firm should also consider reducing its reliance on email for all financial transactions. If email must be used, Chubb Ltd. suggests establishing call-back procedures with clients and vendors for all outgoing fund transfers to a previously established phone number or implementing a customer verification system with similar dual authentication.

A company should also consider conducting an assessment of its vulnerability to a BEC attack. Preferably, this should be handled by a reputable firm or individual retained to launch a social engineering attack on the company without the knowledge of any but a few senior managers. The results could be reassuring or provide stark evidence of how easily someone could compromise the company’s security.

If the proper training and controls are in place, and enforced, it will make it much harder for hackers to have a ghost of a chance at pulling off a BEC scam.