Could Your Small Business Get Scammed by 'CEO Fraud?'

By Joe Moran | Posted November 16, 2015

When you send an email to your employees directing them to do something, chances are they don't give your request a second thought; they just jump to it as quickly as possible. While that reaction is completely understandable, it can cost a company dearly if the email turns out to be fraudulent. Thanks to a scourge called business email compromise (BEC)—also known as CEO Fraud—it's a growing security concern for small businesses.

The motive behind the BEC is simple enough—to get someone (usually within an organization's accounting or finance department) to execute a wire transfer to a scammer's account, ostensibly on behalf of a company executive or principal. The scam is often—but not always—targeted at companies where wire transfers may be common business practice.

The Cost of Email Fraud

If you think you or your employees can't possibly be fooled by a BEC, think again, because the FBI's Internet Crime Complaint Center (IC3) reports that BEC scams were responsible for more than $1.2 billion in global losses from October 2013 through August 2015 (and more than half of those losses were from U.S. companies.) The amounts a single company can lose aren't trivial either. Over the summer Ubiquiti Networks, a maker of enterprise Wi-Fi hardware, disclosed that it lost $46.7 million as the result of a BEC scam.

What makes BECs particularly dangerous is that there's no sure-fire way to avoid receiving the bogus emails. Anti-malware software won't help you since there's nothing malicious about the message content (other than the intent to get you to do a scammer's dirty work for him).

Anti-spam filtering offers little help since BECs aren't garden-variety, mass-mailed phishing scams; they're focused attacks launched by people who have researched the target company, the executive(s) they impersonate, and the recipient(s) of the fraudulent email. Finding the names of relevant individuals at an organization isn't difficult given that many companies list such personnel on their websites.

Small business secueity: email fraud

How to Spot a BEC Scam

How exactly does a BEC scammer manage to pose as a company executive via email? One way might be to obtain access to the person's mailbox (e.g. by guessing his or her password or spear phishing the individual), thus gaining the ability to actually send messages from the person's email account. Or the scammer simply registers a similar-looking email domain (say, acmelndustries.com instead of acmeindustries.com—substituting a lower-case "L" for an "i"), or employs emailspoofing to make it look as though a message came from an executive's address.

When a fraudulent BEC email arrives in the target's inbox, it usually includes little more than a directive to transfer amount x into account y and then reply with a confirmation that the transfer was successfully executed. The email almost always contains words such as "urgent", "immediately," or "confidential" in the hopes the recipient will execute the transfer with haste but without first confirming it with supposed requestor.

Indeed, fraudsters may even launch a BEC scam when the impersonated executive is away on vacation—a fact easy enough to confirm via an automated "Out of the Office" reply—and thus presumably not quite as easy to reach. 

Scammy emails are usually known for poor grammar and spelling (sometimes comically so), but that doesn't necessarily apply to BEC messages. Remember that BEC is a targeted relatively sophisticated type of attack, so the scammer won't want to risk tarnishing the message's authenticity with bad prose.

The half-dozen or so BEC attempts we've seen were all linguistically accurate, if somewhat curt. By the way, BEC scams don't always impersonate an executive and target a lower-level employee; they can just as easily impersonate one company executive or principal and target another one.  

How to Avoid Being Scammed

So what can your business do to avoid being a victim of BEC fraud? The best defense is decidedly low-tech. When you receive a request to initiate a wire transfer, be skeptical of it and don't act until you can confirm it, by phone, with the alleged requestor. While this may seem anachronistic in this age of instant digital communication, it's the only way to be absolutely sure that a funds transfer request is legitimate. Whether or not the request turns out to be legit or bogus, the boss should appreciate the efforts of a conscientious employee.

You can take some steps to reduce the likelihood that a BEC makes it to your company's inboxes. Check with your email service provider about configuring your email server and/or spam filter to discard incoming messages that claim to originate from your domain name.

Since messages between two individuals at a company travel directly between mailboxes within the confines of an email system, it's safe to assume that an email from yourcompany.com entering the system from outside the company contains a spoofed address. You might also consider automatically dropping incoming messages from any misleadingly misspelled versions of your domain (such as the example provided above).  

An even more effective way to way to reduce or eliminate the possibility of receiving emails with spoofed domains (including your own) is to use an email authentication technology such as DMARC (Domain-based Message Authentication, Reporting and Conformance), which ensures that a computer sending an email on behalf of your company's domain is in fact authorized to do so.

Most modern email systems (including Office 365) support DMARC, but implementing it properly takes time and expertise to avoid potential problems with the flow of legitimate mail, particularly if your company uses third-party vendors for marketing/mailing list-type messages.

None of the aforementioned technical countermeasures will be useful in situations where a scammer has actually taken control of an executive's mailbox. So we reiterate: if you or your employees receive an emailed request to wire money, you should automatically assume it's fake until you can verify that it's not. Failure to do so may result in your company learning an expensive lesson. 

Joseph Moran is a technology writer and IT consultant who specializes in services for consumers and small businesses. He's written extensively for numerous print and online publications, and is the author of File Management Made Simple, Windows Edition from Apress.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date