Email compromise is impacting businesses globally
Key
insights:
Business email compromise (BEC) is a growing business risk
“CEO fraud” is one of the most effective forms of BEC and involves the impersonation of a senior manager
Risk can be reduced through training and appropriate accounts processes, and transferred via insurance policies which include cover for impersonation fraud / social engineering
Business email compromise (BEC)
Business email compromise involves the compromise of legitimate business e-mail accounts either through the manipulation of people’s natural tendency to trust (“social engineering”) or computer intrusion techniques to conduct unauthorised transfers of funds. In June 2018 the FBI reported that between October 2013 and May 2018, more than $12.5 billion was defrauded from businesses internationally in this way: https://www.ic3.gov/media/2018/180712.aspx
BEC incorporating social engineering involves an email that appears to come from a trusted source, such a colleague, manager or another participant in a transaction, or a request from a supplier seeking payment for a past invoice. Criminals are exploiting people’s tendency to trust through a wide range of targeted payment redirection frauds, particularly as technology becomes more effective at screening out indiscriminate and generic phishing emails.
In 2017 Trend Micro reported that Australian companies were the world’s second most popular targets for BEC attacks based on frequency: https://www.cso.com.au/article/627211/australian-companies-world-second-most-popular-targets-email-fraud/
“CEO fraud” is one of the most effective forms of business email compromise
“CEO fraud” involves the sending of an email to an employee of an organisation impersonating someone in a senior role such as the company’s CEO or CFO, or a managing partner in a professional practice. Because the employee believes the email is from an owner or senior staff member within their organisation, s/he may action these payment requests quickly and without question unless they have previously been educated about the existence of this type of scam.
A high profile case involved the Austrian aircraft parts maker FACC, whose customers at the time included Airbus, Boeing and Rolls-Royce. In January 2016 an employee of FACC transferred around 50 million euros (approximately $80M AUD), equivalent to almost 10 percent of the company’s annual revenue, after receiving emailed instructions from an imposter posing as the company CEO. The relevant employees were later dismissed, with the CEO’s employment also terminated shortly afterwards. Before being stood down, CEO Walter Stephan told investors “The fraud did not take place via our Internet or IT system but by means of a simulated email correspondence under my name, which does not require any hacking”: https://www.cso.com.au/article/600535/ceo-fired-after-fake-ceo-email-scam-cost-firm-47m/
In another case reported in January 2019, the Indian subsidiary of Italian company Tecnimont SpA was defrauded of $18.6M US after employees received a series of emails that appeared to be from Tecnimont’s CEO who was based in Italy. After sending emails from an account that was deceptively similar to the CEO’s, the fraudsters arranged a series of conference calls in which they impersonated the CEO, senior executives and a lawyer based in Switzerland. In these calls the imposters convinced the head of the Indian subsidiary that the Italian parent company was arranging a secretive and highly confidential acquisition in China, and that the money could not be transferred from Italy due for regulatory reasons. After the fraud was revealed the head of the Indian subsidiary and its chief financial officer were dismissed: https://www.secureworldexpo.com/industry-news/business-email-compromise-bec-case
Preventative measures include training for employees and stringent accounts processes
A recent UK court case illustrates the risks of not providing employee training about email fraud. In February 2019, Glasgow firm Peebles Media Group sued a former employee for transferring more than $350,000 after receiving fake emails that appeared to be from her manager, who was on leave at the time. The employee defended the case arguing that she had never received training about these kinds of emails. (Link: https://www.bbc.com/news/uk-scotland-glasgow-west-47135686). At the time of writing the outcome of this litigation does not appear to have been disclosed, and it is possible the case may have been settled privately.
To prevent similar cases, training in how to recognise and avoid potential scams should be given to all staff including senior executives or principals who often have extended privileges or levels of authority enabling them to bypass controls that would prevent less senior staff from approving similar payments: https://www.cso.com.au/article/627211/australian-companies-world-second-most-popular-targets-email-fraud/
Insurance coverage for similar events can be obtained under crime, cyber and management liability policies
None of these high profile cases of CEO fraud appear to have involved any compromise to the organisation’s IT network, each being straightforward cases of impersonation fraud that simply used emails and phone calls to carry out a fraud in the same way that fraudsters once impersonated others using a forged letter or signature. Generally speaking cyber insurance policies are designed to cover losses flowing from interference with technology, such as computer hacking, unless social engineering or impersonation fraud is expressly included.
The availability and pricing of policies that cover claims of this nature are also likely to be more favourable where the organisation seeking cover provides appropriate training programs for employees and puts in place stringent accounts payment processes.
The unfortunate loss suffered by the UK employer could potentially have been avoided with workplace training, better accounts payment controls and suitable insurance coverage, underscoring that business email compromise is a whole of business risk requiring a holistic response rather than an IT issue only.