CEO targeted by fraud twice a month

Every couple of weeks or so, Tom Kemp's company gets hit by ever-more-sophisticated attempts to trick them out of large sums of money

Every couple of weeks or so, Tom Kemp's company gets hit by ever-more-sophisticated attempts to trick them out of large sums of money.

It started two years ago, before business email compromise -- also known as CEO fraud -- became as widely-known as it is today.

The email came in addressed directly to the company's controller, asking for a wire transfer of more than $350,000. The email seemed to come from the CFO and was part of a longer chain of emails between the CFO and the CEO discussing the transfer.

"If you looked at the email thread, it looked legitimate," said Kemp, CEO at security firm Centrify. "And there was a real bank account and a real company name associated with it."

The return address looked like that of the actual CFO, as well.

And when the controller emailed back, the response was professional and immediate.

"They had researched our organization, figured out who our controller was, got her email address, created this email chain between the CFO and myself, created this fake domain, and carried on ongoing communications," Kemp said. "I thought this was very sophisticated."

Centrify did have additional checks-and-balances in place, Kemp said, with some paperwork required. But what really stopped the fraud right in its tracks was the fact that he was late to work that morning.

Kemp sits near the accounting office, and when he walked past that morning, his employees told him that they were working on the wire transfer he requested.

"And I said, 'What are you talking about? I didn't request a wire transfer.' At first, I thought it was just us being targeted," he said. "We had just raised a round of financing and thought that someone was doing this to embarrass us."

But looking into the situation, it turned out that the return address on the email came from a look-alike domain address that had only been registered that morning. At the same time, fraudsters registered similar spoofed domains for 60 other companies.

Since them, Kemp said, attackers have also tried going after his father's company, a 50-employee leasing firm in Michigan, where they tried to get around $35,000.

"It's happening for all-sized organizations," he said.

[ RELATED: The year in security, identify theft and fraud ]

He also said that he's seen some evolution in tactics. Instead of asking for wire transfers, for example, some fraudsters are asking for sensitive company documents, such as employees W-2 forms. Others are sending emails to all of a particular vendor's customers asking them to update billing details.

"When it comes time to pay the bill, they're now wiring their money to the bad guys," Kemp said. "The entire month's worth of payments has now been completely stolen and vectored to the crooks."

Companies should step up their employee education efforts, add multi-factor authentication for logins to key systems, and add layers of approvals for potentially risky transactions such as unusual wire transfers or changes in payment location.

Another new wrinkle, according to Ed Cabrera, vice president of cybersecurity strategy at Trend Micro, is that fraudsters are combining email messages with phone calls.

"Adding the human element further preys on ill-prepared organizations that are not able to detect this type of compromise," Cabrera said.

When confirming payments, it's good practice to use known contact information for colleagues and vendors, instead of replying automatically to emails, or using telephone numbers or other contact or payment details provided in those emails.

According to Trend Micro, some business email compromise scams have netted the crooks extremely large sums of money.

In January, for example, airplane parts manufacturer FACC Operations GmBH, was hit for $54 million.

And last week, U.S. authorities filed suit in Manhattan to recovering the remaining $25 million out of nearly $100 million stolen from an American company -- the other $74 million has already been recovered and returned.

Since January 2016, 67 percent of respondents to a survey by email security company Mimecast had seen an increase in attacks designed to instigate fraudulent payments and 43 percent saw an increase in attacks specifically asking for confidential data like HR records or tax information.

"Since the beginning of this year, BEC has exploded in several directions," said Stu Sjouwerman, CEO at KnowBe4.

He pointed out that the $100 million fraud was actually caught by one of the intermediary banks, based in Cyprus, not by the victimized company itself.

According to a bulletin issued by the FBI at the end of March, companies in 79 countries lost more than $2.3 billion to BEC fraud since October 2013, with the majority of the victims located in the U.S.

The still-unnamed US company that lost $100 million should consider itself lucky.

"In many cases, law enforcement cannot recover funds sent overseas and may not identify the perpetrator; therefore, education and prevention are stressed," the FBI warned.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)