Acuity ISSUE 17
01 December 2015 - Bernard Kellerman
Prepare yourself – a new breed of email scam is hurting finance teams and costing companies money.
Not long ago, email scams were fairly easy to spot. Usually it was a hard luck story from someone with an impressive title, in need of a small favour to secure fabulous but slightly illicit riches that were just out of reach.
Or, good news, you’d won millions in a lottery you’d never heard of.
Poor grammar and easily disproved facts were the hallmarks of such schemes.
Over the past couple of years, though, law enforcement agencies and advisory firms have been tracking the emergence of extremely sophisticated scams that target accountants and finance teams with requests for funds transfers that appear to be made by the CEO or CFO. These seem genuine at first glance – and companies are losing real money.
An accountant in a US firm had one such request earlier this year, apparently from her CEO who was out of the country.
“It was not unusual for me to receive emails requesting a transfer of funds,” the accountant later said about being contacted by her CEO about an acquisition.
The CEO’s email was followed by a lawyer’s email with a letter of authorisation attached. The accountant checked that it had her CEO’s signature over the company’s seal – and followed the instructions to wire more than US$737,000 to a bank in China.
The next day, when the CEO happened to call regarding another matter, the accountant mentioned that she had completed the wire transfer the day before. The CEO said he had never sent the email and knew nothing about the alleged acquisition.
The company accountant then reviewed the email thread. It had “.co” instead of “.com” in the CEO’s email address and she realised she had fallen for a business email compromise (BEC) attack, a form of financial fraud that is spreading rapidly.
From late 2013 to the third quarter of 2015, the FBI’s Internet Crime Complaint Center (IC3) recorded more than 7,000 US companies as BEC scam victims, with total dollar losses exceeding US$74m.
“The criminals have become experts at imitating invoices and accounts. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud,” says FBI Special Agent Maxwell Marker, who oversees one of the Bureau’s Transnational Organized Crime divisions.
Across the Pacific
While numbers are not as easily obtained, email scams are not confined to the USA, as the cybercrime partners at several Big Four accounting firms in Australia and New Zealand readily confirmed.
Chartered Accountants Australia and New Zealand says it is aware of a case in Australia that is almost a direct match to the US scam, with the accountant’s employer now threatening to sue her for the lost funds and refer the case to a professional standards review.
Richard Bergman, a partner with PwC in Australia, says his firm has investigated a number of such email-initiated frauds over the last few months, which crossed a range of different industry sectors.
“We’ve seen emails from CEOs or CFOs or senior government officials to finance team members asking them to either transfer money by a wire transfer or to pay a fraudulent invoice,” he says.
“We’ve recently investigated an ex-employee who sent fake invoices to his former colleagues that had a total value of several million dollars.”
Anu Nayar, lead cyber partner at Deloitte New Zealand, said his firm has also come across “quite a few” of these types of scams.
“I’m pleased to report that nearly all the time people have cottoned on, and have thought to verify first,” he says.
“But there have been at least two instances we’ve been made aware of where people have, unfortunately, processed the request – and in one scenario it amounted to a loss of just shy of NZ$100,000.”
He says that the emails seem highly targeted but, in reality, are usually only the result of some basic research as to who the chief executive of an organisation might be.
Marketing companies have lists which can be run through “scam engines” to send out a whole lot of automatically-generated but original looking emails.
In execution, the email scam is more like the old-style conjuring trick – relying on diversion and distraction rather than creating a perfect forgery.
“The scammers will try to choose peak times such as last thing Friday when people just want to get out of the office, or first thing Monday because that’s when finance teams are often dealing with a whole lot of transnational reporting requirements from different time zones that have come in over the weekend.”
The second type of scam is typically where the accounts payable or other finance team members are targeted, asking for payment of a fraudulent invoice.
It might come with the tone “hello I forgot to tell you to do… before I left for the weekend. It’s a simple request can you please process it?”
A variation, one which Bergman says indicates some level of knowledge of the organisation being targeted, occurs via text messages, along the lines of: “Hi John, this is Richard. We know you’re processing our regular payments today, but can you note that our bank account has changed to… “
The sniff test
Fundamentally, all of these scams play on human behaviour, with finance teams wanting to do the right thing by their CFO in a timely manner. To avoid being scammed an element of common sense is required.
For starters, in most companies, it’s very unusual for a CEO to email the CFO or the finance team and ask them to wire transfer money to an account.
A request to wire transfer money to an account that is not an already known bank account should also set off alarm bells.
“If you don’t know the bank account, then you probably shouldn’t be making a payment at all,” says Bergman.
Ken Picard FCA, CFO at Chartered Accountants Australia and New Zealand recently experienced firsthand an attempted BEC attack – one he’s happy to say went nowhere.
Picard received an email, purportedly from a fellow member of the senior executive team, asking him to “help out” a lawyer who was going to contact him.
“I don’t get those sorts of requests from colleagues very often, and certainly not without some sort of explanation or background as to why they’re making the request,” says Picard.
So Picard sent back another email asking for more details and context. The response was: “It’s for a project we’re working on. Can you just help them out, and then let me know.”
By this stage of Picard was getting wary so he called his colleague directly, and found that no emails had been sent by that executive. Picard then tried to get his IT section to trace the source of the emails but received only bounce backs.
And then he received another email asking if he had sent “the €462,000 as requested?”
“And when I looked carefully at the email address, it was an otherwise correct address that had just been changed by one character,” he says.
He says there were plenty of other elements to the transaction to make him wary, but nothing beats calling the person who seems to have sent the email.
Picard advises all his fellow CFOs “to create an environment where staff can ask you questions”.
“And, in turn, if you as CFO cannot then front up to your CEO or managing director and say ‘hey, what’s going on?’ then you’re not doing your job.
“Understand your business and set controls accordingly. For instance, if you’re running a car dealership, selling cars for under A$15,000, then it would be unlikely you’d have a transaction for A$50,000,” says Picard.
This chimes with Bergman’s advice. He agrees that picking up the phone will kill most email scams, but ahead of that is strong education and awareness among finance team members, especially showing them how easy it is to spoof an email.
Companies are also likely to be targeted with an even more sophisticated scam, one where the finance team receives an email, apparently by mistake, from a competing bidder.
“Do not open it – it’s likely to contain malware,” warns PwC’s Bergman. “It won’t cost money, but you could lose all your confidential data relating to the transaction.”
Social re-engineering that spooks insurers
Deloitte’s Annu Nayar says that the problem is a human issue, one that is very much based on people’s innate trust of, and use of, technology.
“It’s only going to get worse as more and more people will go online and become more connected and more transact online. That merely increases the population of potential targets for online scammers and lowers the return on investment for scammers.”
It means insurance claims will continue to be problematic, as it will be difficult for any victims to prove that they were not the architect of their own downfall.
Businesses can insure against an intrusion or a cryptolocker – also known as ransomware – which may lock up data until a payment is extorted.
Email scams, though are a different class of risk.
At a very finely argued technical level, the actual receipt of an email does not cost a company anything, unlike a hack into the operating system (which results in theft of clients’ financial data or a company’s intellectual property, along with loss of reputation).
And it’s this, along with the very sketchy – or non-existent data – on these types of losses that have made insurance companies in the Australian and New Zealand markets very wary of offering email scam insurance.
Large brokers declined to discuss the matter, while mid-market brokers confirmed that none of the companies they dealt with offered “insurance against stupidity” as one put it rather bluntly.
How to avoid becoming a victim of a BEC scam
In October 2013, the FBI’s Internet Crime Complaint Center (IC3) began receiving complaints from businesses about trusted suppliers requesting wire transfers that turned out to be bogus, and ended up in banks overseas.
Since then, losses from “business email compromise” (BEC) scams have been mounting, and by August had topped US$1.2b worldwide, the crime-fighting agency says.
The following tips to businesses to avoid being victimised by BEC scams were provided by the IC3 and professional advisers in Australia and New Zealand:
- Verify any emailed changes to vendor payment details by a two-factor authentication, such as phoning the person making the request, and having a second person sign off.
- Where phone verification is part of two-factor authentication, use a previously known number, not the number provided in the email request.
- Be wary of relying on free, web-based email accounts, which are more susceptible to being hacked.
- Be careful when posting financial and personnel information to social media and company websites.
- For wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly. If in doubt, allow time to check the legitimacy of the request, no matter how urgent it might seem, even if it delays payment until next day.
- Create IT system rules that flag or quarantine emails with extensions that are similar to company emails, but not exactly the same for example with “.co” instead of “.com”.
- If possible, register all internet domains that are slightly different to your actual company domain.