According to new research from security software company TrendMicro, CFOs are targeted by scammers via business email compromise (BEC) schemes more than any other finance professional. Nearly 19% of BEC scams are aimed at them. Finance directors come in second at more than 7%, followed by finance managers (6%), finance controllers (6%) and accountants (4%).
US corporates should particularly be on alert. Thirty-one percent of BEC scams so far in 2017 have been against companies in the United States, followed by those in Australia (27%), the UK (22%), Norway (5%) and Canada (3%). [Editor’s note: Asia is lumped together with the rest of the world at 11%.]
Countries With the Most Business Email Compromise Attempts
Data refers to the number of attempts of BEC attacks seen in countries in the first half of 2017. The number does not indicate whether the attacks were successful. BEC samples mainly consist of CEO fraud samples. Source: 2017 Midyear Security Roundup, TrendMicro.
What to watch for
The report also pinpointed which executives BEC scammers are impersonating or “spoofing” the most. Unsurprisingly, CEOs topped the list at 42%, followed by managing directors/directors (28%), presidents (7%), general managers/managers (6%) and chairmen (4%).
Fraudsters typically request a transfer for an acquisition, and stress that the payment needs to be made immediately. The request typically comes on a Thursday or Friday
Based on random sampling of attacks, TrendMicro identified some words and phrases commonly used in these scams, such as “acquisition,” “Contract,” “Instructions,” “Invoice,” “Request,” and “Swift response needed.”
This aligns with one of the most important takeaways in the Association for Finance Professional report Treasury in Practice Guide on BEC scams: Watch for urgent or secret requests, especially when they come from an executive that is absent.
Fraudsters typically request a transfer for an acquisition, and stress that the payment needs to be made immediately. The request typically comes on a Thursday or Friday, or right before a holiday weekend when the company is short-staffed.
However, TrendMicro also observed a resurgence of the other method of BEC scams, in which the perpetrator impersonates a routine supplier rather than an employee. In these types of scams, they send an email with a fake invoice and instructions on where to send the payment (hint: it’s not the actual supplier’s account).
Preventing the threat
According to the US Federal Bureau of Investigation (FBI), global losses attributed to BEC scams since 2013 totaled US$5.3 billion by May 2017. Fortunately, 70% of organizations have implemented controls to prevent these scams, according to the 2017 AFP Payments Fraud and Control Survey.
There are a number of ways to make sure that a questionable email request is valid. The most obvious is to simply call the individual making the request and verify its authenticity. Do this every time a supplier sends you an email request with new payment instructions. And don’t call a number provided to you in the email; use the number you have on file.
Require two different computers and passwords to send money, with one of them being a computer that connects to the bank and nothing else
“When your vendors email you and say, ‘I have a new bank account, send it here instead of there,’ tell your AP to call them back,” said one treasurer. “Verify it. That’s something people aren’t doing.”
Another way to stop BEC scams, explained Greg Litster, president of SAFEChecks and AFP 2017 speaker, is requiring two different computers and passwords to send money, with one of them being a computer that connects to the bank and nothing else. Only that dedicated bank computer can be used to release transfers.
“For the release, you don’t want to use a computer you use for email, because you don’t know if your computer’s been hacked and the keystrokes are being monitored,” he said.
But while adding a computer that is only used for the bank connection sounds like a good idea, Magnus Carlsson, AFP’s manager of treasury and payments, noted that it’s not a practice that is typically used in treasury departments.
“In my own experience, the AP personnel used their workstations to initiate payments, but they also had security devices such as login boxes they had to use to connect to the banks,” he said. “But the security set-up is of course different depending on what systems and banks you are using.”
Tom Hunt, director of treasury services for AFP, agreed. “I think this is the ideal situation, but in practice it rarely occurs,” he said.
About the Author
Andrew Deichler is Editorial Manager at the Association for Financial Professionals, a US-headquartered professional society that represents finance executives globally. This article first appeared in afponline.org under the title “Report: CFOs Are the Prime Targets of BEC Scammers.” It was re-edited for clarity and conciseness.
Copyright © 2017 Association for Financial Professionals. All rights reserved.