CEO targeted by fraud twice a month

Every couple of weeks or so, Tom Kemp's company gets hit by ever-more-sophisticated attempts to trick them out of large sums of money

Every couple of weeks or so, Tom Kemp's company gets hit by ever-more-sophisticated attempts to trick them out of large sums of money.

It started two years ago, before business email compromise -- also known as CEO fraud -- became as widely-known as it is today.

The email came in addressed directly to the company's controller, asking for a wire transfer of more than $350,000. The email seemed to come from the CFO and was part of a longer chain of emails between the CFO and the CEO discussing the transfer.

"If you looked at the email thread, it looked legitimate," said Kemp, CEO at security firm Centrify. "And there was a real bank account and a real company name associated with it."

[ MORE FRAUD: 10 whaling emails that could get by an unsuspecting CEO ]

The return address looked like that of the actual CFO, as well.

And when the controller emailed back, the response was professional and immediate.

"They had researched our organization, figured out who our controller was, got her email address, created this email chain between the CFO and myself, created this fake domain, and carried on ongoing communications," Kemp said. "I thought this was very sophisticated."

Centrify did have additional checks-and-balances in place, Kemp said, with some paperwork required. But what really stopped the fraud right in its tracks was the fact that he was late to work that morning.

Kemp sits near the accounting office, and when he walked past that morning, his employees told him that they were working on the wire transfer he requested.

"And I said, 'What are you talking about? I didn't request a wire transfer.' At first, I thought it was just us being targeted," he said. "We had just raised a round of financing and thought that someone was doing this to embarrass us."

But looking into the situation, it turned out that the return address on the email came from a look-alike domain address that had only been registered that morning. At the same time, fraudsters registered similar spoofed domains for 60 other companies.

Since them, Kemp said, attackers have also tried going after his father's company, a 50-employee leasing firm in Michigan, where they tried to get around $35,000.

"It's happening for all-sized organizations," he said.

[ RELATED: The year in security, identify theft and fraud ]

He also said that he's seen some evolution in tactics. Instead of asking for wire transfers, for example, some fraudsters are asking for sensitive company documents, such as employees W-2 forms. Others are sending emails to all of a particular vendor's customers asking them to update billing details.

"When it comes time to pay the bill, they're now wiring their money to the bad guys," Kemp said. "The entire month's worth of payments has now been completely stolen and vectored to the crooks."

Companies should step up their employee education efforts, add multi-factor authentication for logins to key systems, and add layers of approvals for potentially risky transactions such as unusual wire transfers or changes in payment location.

Another new wrinkle, according to Ed Cabrera, vice president of cybersecurity strategy at Trend Micro, is that fraudsters are combining email messages with phone calls.

"Adding the human element further preys on ill-prepared organizations that are not able to detect this type of compromise," Cabrera said.

When confirming payments, it's good practice to use known contact information for colleagues and vendors, instead of replying automatically to emails, or using telephone numbers or other contact or payment details provided in those emails.

According to Trend Micro, some business email compromise scams have netted the crooks extremely large sums of money.

[ ALSO: Ever been in these social engineering situations? ]

In January, for example, airplane parts manufacturer FACC Operations GmBH, was hit for $54 million.

And last week, U.S. authorities filed suit in Manhattan to recovering the remaining $25 million out of nearly $100 million stolen from an American company -- the other $74 million has already been recovered and returned.

Since January 2016, 67 percent of respondents to a survey by email security company Mimecast had seen an increase in attacks designed to instigate fraudulent payments and 43 percent saw an increase in attacks specifically asking for confidential data like HR records or tax information.

"Since the beginning of this year, BEC has exploded in several directions," said Stu Sjouwerman, CEO at KnowBe4.

He pointed out that the $100 million fraud was actually caught by one of the intermediary banks, based in Cyprus, not by the victimized company itself.

The still-unnamed US company that lost $100 million should consider itself lucky.

"In many cases, law enforcement cannot recover funds sent overseas and may not identify the perpetrator; therefore, education and prevention are stressed," the FBI warned.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about CentrifyFBIManhattanMimecastTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place