An alarming increase in the number of email scams targeting CEOs and senior management operating in Asia‑Pacific region represents a serious threat that must be proactively addressed to avoid huge financial losses, according to EY Fraud Investigation & Dispute Services (FIDS).
Variously termed as ‘business email crime’, ‘CEO email fraud’, or ‘bogus boss email scam”, this type of crime involves cybercriminals impersonating business leaders in order to deceive companies into transferring funds to unauthorized accounts. Recent figures from the US Federal Bureau of Investigation estimate the crime has cost businesses more than US$2bn globally in little over two years.
“Five years ago email fraud wasn’t on the radar. However, in the last 18-24 months we have seen a significant increase in the volume of investigative work focusing on various types of email scams in Asia-Pacific. What remains alarming is that many companies are still not taking simple steps to avoid becoming a victim of this type of crime” said Chris Fordham, APAC FIDS leader.
Business email crime relies heavily on social engineering whereby criminals extensively research their potential targets using online resources, company reports and other social media channels. This reconnaissance phase can take a month or up to 6 months or longer depending on the type and nature of the email scam.
In this current derivation the fraudulent emails purport to originate from the company’s senior executive, such as the CEO, CFO or head of finance, and request finance staff to wire funds to external accounts on an urgent basis citing various “confidential” or “critical” matters at hand.
Unfortunately, all too often, the staff receiving the emails lack the courage to query and disobey the instructions from the purported senior management, and circumvent existing payment controls and transfer out the funds requested.
“The emails being sent by these cybercriminals are very well crafted. The perpetrators will usually use compromised email accounts or spoof accounts that imitate the email addresses of staff with authority in the business. They will also often mirror the tone of the targeted executive and may even accurately reference the fact that the person is overseas for business at the time. These criminals do their research extremely well, which is why many companies are increasingly falling foul of this type of crime in APAC,” said Fordham.
According to EY FIDS, business email crime doesn’t appear to be focused on a specific industry per se. Criminals often seek-out organisations which might have multiple offices, across multiple countries, are publically listed or have company information easily accessible.
“Not only are we seeing an increasing amount of this type of fraud, it is also becoming remarkably indiscriminate. This means it’s not just something that only one sector needs to be aware of and guard against. As criminals become more sophisticated and inventive, organisations need to step-up and put measures in place to protect themselves,” said Fordham.
The measures, software and monitoring that companies need to put in place do not have to be costly according to EY FIDS. However, process and education play a key role in making sure employees are aware of business email crime.
How to address growing trend
- EY FIDS recommends that organisations should as a minimum consider the following initiatives to address this growing trend:
- Effective Accounting Controls/Processes – Implement processes, where all transactions need to be approved by a second employee. Ensure the employees who approve such transactions are continually educated about these types of cyber threats.
- Internal Communication – Create a culture whereby not every part of the process is done via email so that people establish personal relationships with each other. By doing this the employee who receives the fraudulent email is more likely to spot anomalies in it regarding the writing styles of the legitimate user.
- Email Security – Email security software can help detect and prevent known phishing emails and malware attachments. However, companies should also undertake forensic analysis of network traffic to identify existing weaknesses or signs of attack. In addition, software must always be supplemented with adequate training campaigns to teach employees about threats and how to not to be fooled by them.