Breaking News

Fraud Prevention Month: Fight Business Email Fraud

Fraud Prevention Month begins today, reminding me of three business-related online frauds that I have written about. Let's take a look at them and discuss some of the similarities they shared:

Toymaker Mattel suffered a US $ 3 million loss in 2015, when the CFO relied on an email from his boss asking him to transfer funds to a new supplier in China. Mattel's protocol for such a large transfer called for approval from the CEO and CFO. Okay, the CEO's email was one, and he was the other being the CFO, so ... Fortunately, the incident happened over a long weekend in China, so the transfer was frozen when the bank opened on Tuesday.
A Texas company lost US $ 1 million in 2019, when an assistant to the CEO thought he was following his boss's email orders to send money to a company. But he was an idiot. The email did not come from his boss. The attacker read the executive's Facebook page and came to know that he had coached his daughter's football team. The crook then hacked the executive's email and sent a message to the assistant on Friday asking him to look into transferring money to a firm as he was away at his daughter's tournament. The message also told the assistant not to bother confirming the transfer, as the CEO relied on him to take care of things;
A Chinese venture capital company suffered a $ 1 million loss that an Israeli startup was to go after hackers were able to insert themselves into email conversations from both firms that were thousands of kilometers away. The attackers went through public announcements that the Chinese firm was going to invest in the Israeli company. They then hacked the companies' emails and created two email accounts that closely mimicked each company's email domain by adding the letter "s" to the name. Officials could not find the difference. The result was that the hacker could intercept messages between the two companies, change the content and send messages between them via fake email accounts. At one time, the executives of the two companies were to meet in Shanghai. The attacker sent an email to the two firms stating that they could not hold a meeting for different reasons. If that meeting had gone ahead, the scam would have been exposed. When the bank of the Chinese company said there was something wrong with its wire transfer, the two companies only realized something was wrong, and the Israeli company realized that it would not receive its $ 1 million.
Security and law enforcement researchers call these and other incidents a "business executive agreement" or "business email scam" (BEC). They have two things in common: employees who rely on email communications, and poor business processes to deal with financial transfers.

During the Fraud Prevention Month, will feature several stories advising CISOs and CEOs, which may reduce the odds of being caught by online-enabled fraud.

No comments