The emails my clients, all CEOs of large and growing organizations, share with me certainly seem legitimate. With just slight variations, the email message appears to ask their CFOs to send a large, but not unusually large wire transfer to a bank right this minute.
“I need you to send a wire of $35,000 to the attached account. Kindly let me know as soon as transfer is done and send me a transfer confirmation in reply,” the email said, and ended, “Awaiting your reply.” Attached to the email was a wire transfer form with an account at a foreign bank.
Two different clients have been targeted with the same phishing scam, and both sent the scammers money.
How did this happen? How did the CFO not realize the email wasn’t from the real CEO? Recently the U.S. government issued a warning about business email compromise (BEC).
“BEC is a type of payment fraud that involves the compromise of legitimate business email accounts for the purpose of conducting an unauthorized wire transfer,” the government’s statement says.
The way it works is that the accounting or finance department of a corporation will receive an email from someone who appears to be the company’s CEO directing payment by wire transfer to a bank account. The email usually says that the need is urgent, and highly confidential, and it directs the immediate payment without further authorization. The message appears to come from the CEO’s company address through email address spoofing.
How should organizations protect themselves going forward? The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and to establish other communication channels — such as telephone calls — to verify significant transactions.
Has anybody else been affected by this? What security measures have you put in place since?