Finance departments have long been in the crosshairs of criminals thanks to their authority over the capital flowing in and out of the business. However, recent years have seen the threat against CFOs, treasurers and other financial controllers increase drastically as fraudsters adopt sophisticated new email attacks as their weapon of choice.
Malicious emails take many forms, with most people being familiar with simplistic scams that are indiscriminately sent to millions of targets. One example of this is the traditional phishing email appearing to come from a bank you do not even have an account with. Finance teams, however, are at risk of a much more dangerous approach popularly known as Business Email Compromise (BEC).
While most email attacks rely on some form of deception, such as pretending to be a trusted source like a retail brand or governmental agency, BEC attackers will take on the identity of a specific individual connected to the target’s business. This will frequently be a senior figure such as the CEO or managing director, but there have also been many examples of attackers impersonating suppliers or business partners.
The strategy is so effective that the FBI recently announced that BEC attacks have raked in more than $5.3bn (£3.86bn) in the last three years, with more than 40,000 attacks reported from October 2013 to December 2016.
The cost of an individual attack can easily run to millions of pounds, and potentially cost the victims their jobs. Last year, Austrian aerospace manufacturer FACC was hit by an attack which cost them more than £40m, and also led to the firing of both the CEO and CFO.
The trusted imposter
BEC attacks are typically completed using a high level of social engineering, with the criminals taking the time to research the individual victim and their company to craft a believable message that can pass for a legitimate business communication. Thanks to the proliferation of information available online through sources including social media, it’s fairly easy for criminals to find everything they need to create a convincing false identity.
The imposter will often complete the deception by using additional techniques to disguise their email address. The email may be spoofed, use a convincing lookalike domain, or they may simply use a deceptive display name. In more advanced cases they may also send their malicious email from a legitimate email account that has been compromised in a previous cyber attack, without the knowledge of the owner of that account.
Whatever the method used to reach the target, the attacker will seek to leverage the false identity to trick the victim into following his commands. One of the most common approaches we see for finance department targets is to request a direct payment, generally wired straight to a bank account. Another popular method is to impersonate the CEO and request an emergency transfer of funds, which is typically accompanied with a convincing lie about why it has to be done immediately and why they aren’t currently unreachable for additional details. More daring criminals have even been known to set up standing orders by impersonating a business’s suppliers. While easier to catch out, if successful, this approach can defraud a company for millions of pounds over a period of months or years.
BEC attacks can also be used for other purposes, such as implanting malware as part of a wider cyber attack, or stealing key information such as intellectual property, business contacts, or HR records. Thieves can make a large profit selling stolen, confidential data to competitors or on the black market, but tricking a company into directly making a payment is the most direct route for financially motivated cyber criminals.
Keeping the fraudsters at bay
While companies should ensure that all employees follow strict procedures when it comes to authorising payments, in most cases it is not fair to blame the individual who falls for a BEC attack. The reality is that a sophisticated attack will be likely to fool most people even if they have received specific training, so the emphasis should be on preventing the email from reaching them in the first place.
One of the reasons these attacks have become so successful is their ability to evade the traditional spam and security filters that most companies have come to rely on over the years. Most defences work by identifying certain keywords, or malicious links or attached files. BEC fraudsters eschew these more obvious red flags however, and the content of their email is usually indistinguishable from the real thing. Therefore, while traditional email filter technologies are needed for the myriad of other spam and traditional scattershot phishing emails a company receives, they are almost useless against high-level BEC attacks and other targeted attacks.
Instead, companies need to combine traditional filters with a system that is able to detect identity deception. Each inbound email should be evaluated for warning signs such as mismatch between the sender name and actual sender identity. Emails which pass this test can be considered trusted, but anything else will undergo additional scrutiny to uncover signs of an imposter. For example, an email that has the same display name as the company’s CEO may not not be malicious, but also may not be the real CEO. The system could be set to automatically change a display name that does not match the real identity so it displays “Stranger! Watch out!”, making sure the recipient does not get fooled by the apparent sender identity.
With both the sophistication and volume of email fraud attacks growing exponentially, businesses can only keep finance teams safe by matching the fraudsters with equally advanced defences.
Tim de Knegt, treasurer for the Port of Rotterdam, discusses how he is looking to bring more value to the Port's clients using blockchain.
Regulation technology is fast gaining currency by transforming how financial institutions can tackle compliance in a swift, comprehensive and less expensive manner.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.