Finance faces off with business email compromise

Cybercriminals are ratcheting up a fraudulent email scam aimed directly at finance departments and financial decision-makers with unprecedented sophistication, costing global businesses billions of dollars.

Business email compromise (BEC), also known as CEO or invoice fraud, is a complex, multilayered fraud operated by transnational organised crime groups employing lawyers, linguists, hackers, and social engineers that the US Federal Bureau of Investigation says has been reported in 150 countries.

Among the most common schemes are staff receiving an urgent email from the CFO or CEO, often sent while the executive is travelling and unavailable to answer the phone, demanding an immediate wire transfer for a “secret” project; forged invoices from legitimate suppliers that provide fraudulent payment account details; and intercepting or diverting legitimate payments by convincing staff to change payment bank accounts.

As of mid-2018, the FBI estimated global losses to BEC to be $12.5 billion with almost 79,000 international companies reporting losses between when the FBI began tracking the scam in October 2013 and May 2018.

“This could be a massive problem for businesses,” said Tony Neate, chief executive of Get Safe Online, a government and private-sector partnership based in the UK that offers information and training on cybersecurity.

BEC is a burgeoning plague. Get Safe Online and Lloyds Bank estimate that 53% of UK businesses have experienced BEC or invoice fraud, a 58% jump in just the last year. The FBI noted a 136% reported increase in identified global losses between December 2016 and May 2018.

But that may only be a fraction of the true scope of the problem, according to one expert researcher.

“We believe it’s much larger than that and that the rate of fraud is escalating,” said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, who works with law enforcement agencies and companies to track and monitor international cybercriminals. “But many of these crimes never get reported to the FBI because, unfortunately, there’s still, in every aspect of cybercrime, a dramatic underreporting problem.”

Experts suggest that the problem will only get worse — and more expensive — in coming years, and finance departments are square in cybercriminals’ crosshairs: One cybercriminal gang alone was found to have the contact information of more than 50,000 financial executives in their potential target database, according to email security company Agari Inc.

So what is business email compromise and what can finance professionals do to protect themselves and mitigate the risk of a devastating loss?

An act of deception

On the simplest level, BEC is someone impersonating an authority figure or vendor and sending emails asking finance staff for fraudulent payments.

On a more nuanced level, BEC is a targeted electronic surveillance operation that breaks into firms’ computer systems via malware and spyware. After criminals gain access to networks, they monitor internal communications for financial terms, sometimes for months, and identify key personnel at vulnerable moments to manipulate them into sending large sums of money into the criminals’ coffers.

“The goal of this malware is to monitor your email messages for financial terms,” Warner said. “Every time your machine that’s infected with malware receives an email containing financial terms, that email is forwarded to the BEC organisation, and they are saying that ‘I can use this as a template’.”

The cybercriminals can mimic the company’s invoices because they’ve often been intercepting them for months. They also have access to staff travel schedules and calendars and know who in the organisation is authorised to make payments. Because cybercriminals are using such authentic-seeming forgeries and have such detailed information about the organisational structure, they are able to pinpoint exact vulnerabilities and moments of opportunity, according to Warner.

Cybercriminals used that information to scam $21.5 million from French independent film group Pathé in March 2018 when they convinced the CEO of a Dutch subsidiary that the chief executive of the parent company needed four wire transfers for a “secret” acquisition in Dubai. The plot appears to have been timed to the CFO’s holiday. The CEO and CFO of the subsidiary subsequently both lost their jobs over the scam.

But that inside access to your company’s most sensitive data may not be the greatest danger.

Social engineering

Human fallibility and the power structure of the workplace pose the greatest BEC risk, according to Neate and Warner. Employees aren’t actively looking for BEC red flags and don’t know how to identify them when they are spotted.

“I am a believer that people are the weakest link,” Neate said. “It’s not necessarily someone who is a criminal. It is someone, and I use this word advisedly, incompetent. They haven’t been trained up, and they don’t realise the consequences of their actions.”

Even when they do spot something that seems amiss, often they are too afraid to challenge what appears to be the CFO or CEO of their company out of fear of punishment or ridicule, according to Warner.

“The business weakness within the corporations that are targeted is the fear of authority,” he said. “The structure of authority that we often have is that if the CEO is speaking, how dare you raise your voice or challenge them.”

However, if finance departments are to mitigate the catastrophic risk of BEC, they’ll need to learn to identify the warning signs.

Red flags

BEC can be challenging to identify because of its very invasiveness and the intelligence that hackers are able to collect on victims. Forged documents, spoofed emails, and an intimate understanding of how targeted finance departments operate make outward signs of BEC difficult to spot. But there are warning signs, according to Neate and Warner.

Secret deals. Oftentimes, BEC scams will claim that the CEO or CFO needs a wire transfer for a deal that hasn’t been publicly announced yet. In Pathé’s case, the scammers claimed the money was needed for a secret acquisition in Dubai. The scammers often claim that speed and silence are necessary to maintain a competitive advantage.

Out-of-office demands. Scammers often have access to travel schedules and company calendars and make their approach when they know the CEO or CFO can’t be reached. The classic example is timing the emails to when the executive boards a long flight and can’t be reached for several hours.

Uncharacteristic changes. The scammers will often ask for current payment destinations to be changed or offer new account information in long-standing relationships as a way of diverting recurring payments.

Grammar errors. Cybercriminals are gaining proficiency at forgery and mimicking conversational language but still make errors in syntax and grammar. Pay close attention to phrases or language that seems uncharacteristic, particularly from regular correspondents.

Broken chain of command. Swindlers will often target employees who rarely, if ever, receive email from the CEO or CFO. Those employees, terrified of risking the boss’s wrath, will not ask questions and will act quickly to carry out their supposed orders. Raise the alarm if the request skips others in the decision-making process or falls outside of normal job duties.

Mitigating BEC risk requires planning, communication, and training. The chances that your company will be approached with BEC scams are high, but a few relatively simple steps can go a long way.

Plan to be attacked. Training and open communication are key when it comes to combating BEC, said Katy Worobec, managing director of economic crime at the trade association UK Finance, in an email.

Finance departments should have rules and procedures in place before someone’s finger wavers over the send button, according to Worobec. Companies should “establish documented internal processes for requesting and authorising all payments and be suspicious of any request to make a payment outside of the company’s standard process”, she wrote.

Take a deep breath. If a BEC email does land on your desk, the first step should be to not do anything at all.

“It’s vital that all employees are trained to identify potentially fraudulent transactions,” Worobec said in her email, offering UK Finance’s Take Five to Stop Fraud campaign as a blueprint for mitigating fraud. The Take Five campaign urges people to pause and carefully consider any request for financial information or payment before responding.

Criminals depend on a victim reacting quickly and emotionally, especially if they are worried about offending or angering a boss, and that reactivity can often cloud people’s judgement. Taking a moment allows for a healthy scepticism and gives people a chance to confer with one another.

Pick up the phone. Once a BEC red flag has been identified, the next step is to immediately communicate with supposed requesters before taking any action. If the CFO wants a suspect wire transfer, wait until it can be verified either in person or over the phone, even if it means risking an authority figure’s ire, before pressing send.

No matter how much it may potentially slow down the payment process, get voice verification of a suspect payment using contact information on file. Scammers haven’t yet figured out how to impersonate a voice call, and this simple step may save considerable time and money.

Create an open feedback culture. Silence equals risk. One incredibly effective way to mitigate BEC risk is to remove the fear of authority that employees may have, by encouraging employees to speak out when something appears suspicious, according to Neate and Warner.

“If someone sees a problem, I want them to shout out and look at it,” Neate said. “Then we sit down, we look at it, and we compare.”

“The bottom line is we have to help people understand that these kinds of requests that seem unusual need to be escalated back,” Warner said. “What we have to start building is a culture where that person is rewarded and praised for watching out for the wellbeing of the company.”

— Drew Adamek is an FM magazine senior editor. To comment on this article or to suggest an idea for another article, contact him at Andrew.Adamek@aicpa-cima.com.