Cyber-Fraud targets executive mailboxes

We all know the email asking us to help someone (often foreign royalty) to move several million dollars – all we have to do is give them our bank account number, and they will share the money with us. Few people still fall for such a blatant fraud. However, a new twist on this fraud is now being played out in businesses, with surprising success.

The fraud works like this: an organization’s firewall is breached, usually through a phishing email attack (one where an unsuspecting employee opens an attachment that contains a program to enable access to the network). Once the attackers have access, they probe email mailboxes looking for a senior executive (usually the CEO) who routinely provides instructions to the accountant to make payments. They then create and send an email from the CEO’s mailbox, instructing the accountant to either transfer money to a specific bank account, or tell the accountant to expect a call from a “lawyer” who will give them instructions for funds transfer. The email is written in the same style as the CEO’s legitimate emails, and usually says that this is a confidential transaction, so don’t discuss it with anyone else.

Once the funds are transferred, there is little the organization can do to get them back. Even their cyber-insurance (a relatively new type of coverage that addresses the risks associated with the use of Internet connected technology) may not cover this loss, as seen in two recent court cases in the U.S. (see this article).

Fortunately, sometimes the thieves don’t win. In an article on CBC’s website this morning, Mattel (the makers of Barbie dolls), fell victim to this fraud, but were lucky enough to catch it in time and put a lock on the funds before the thieves could launder the money.

Cyber security is not just about building walls. Thieves in the Internet age are much more sophisticated than the run of the mill hackers of yesteryear. The best way to combat these attacks is through education and awareness – and then set up business processes that validate third party payments.