Business email fraud – financial scams under the guise of authority

A 1,300% increase in losses resulting from business email compromise is nothing short of an epidemic.

email virus threat attack
Thinkstock

[This article was co-written with Daniel Shkedi, a product marketing manager at BioCatch.]

A CFO at a cybersecurity startup receives an urgent email from his CEO, who happened to be on a business trip at the time. “David, we need to transfer $40,000 to X this morning to lock in a discount price from this supplier. The bank details are below. I will be in a meeting so please confirm with me by email it was done. Thank you.” The CEO returns to the office later that day and the CFO proudly tells him that the transaction has been completed. “What are you talking about?” says the CEO. “I never asked you to transfer any funds!”

This is Fraud Stories, a monthly blog focused on digital identity and online fraud, one of the most defining issues of our day.

CEO fraud losses exceed $3 billion per year

Business email compromise, also known as CEO fraud, is a scam in which fraudsters spoof company email accounts of senior executives or the CEO, impersonate them, and send emails to financial departments trying to deceive them into executing payments.

Business email compromise is sophisticated and hard to spot because it tends to target businesses that work with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by fraudsters who compromise the email accounts of known contacts of their victim and represents a 2-part attack since it usually originates with social engineering or computer intrusion techniques to gain access to the CEO’s email account in the first place. The fraudster then uses the access to send the message to the victim requesting the money transfer. 

According to the Federal Bureau of Investigation, from January 2015 to June 2016, fraudsters had stolen approximately $3.1 billion from more than 22,000 victims through this type of fraud, marking a 1,300% rise in losses. And in a recently released video, Citibank calls business email compromise the most dangerous online scam, where about one in four victims in the United States respond and transfer money to fraudsters.

Types of CEO fraud emails

  • “I’m unavailable” emails: Just like in our fictional anecdote above, the fraudster impersonating the CEO supposedly needs an urgent transaction done and mentions that he will not be available.
  • Direct billing emails: The CEO supplies a list of details for a money transfer, including amount, bank account number, SWIFT code, route number, and requests that the payment be processed immediately. It will typically be to a new account.
  • CEO emails with malware: The CEO sends an email with a supposed invoice attached. Once opened, the attachment injects malicious code to create a “backdoor,” which can enable further attacks to the internal network of the organization and enabling post-login account takeovers into corporate online banking accounts. 

Malicious persuasion under the guise of authority

The use of the CEO’s name and email address has a powerful psychological effect on employees that creates a sense of authority and legitimacy. If you are a typical employee that wants to excel in the workplace, in most cases you will take such an email very seriously and comply. Psychologists call this phenomenon the “authority bias,” the attribution of greater importance to opinions or requests by authority figures without any regard to content. This effect makes this type of fraud especially cunning and much more dangerous than other types of email scams, because of its disarming effect on individual judgment and critical thinking.

Organizational practices and safeguards

Preventing business email compromise requires a series of practices to strengthen your organization’s security posture. Here are three basic steps to take:

  1. Create training programs for employees to educate them about the risk of CEO fraud, how to recognize phishing emails and what practicing “good cyber hygiene” means.
  2. Develop rigid payment authorization processes with financial personnel, using various confirmation methods (e.g., large payments require written or verbal confirmation).
  3. Incorporate dynamic authentication protocols that go beyond traditional verification to enable access to email accounts.

This article is published as part of the IDG Contributor Network. Want to Join?

Security Smart: 4 Common Password Myths ... Debunked!