In March of 2018, the director of the Dutch branch of the Pathé film company received an email from the CEO: “We are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai. The transaction must remain strictly confidential. No one else has to be made aware of it in order to give us an advantage over our competitors.”
After some back and forth, the employee transferred €800,000. The days after, more requests were made a subsequently filled, resulting in a total of €19 million transferred. Only after did they discover these emails weren’t sent from the CEO at all, but instead from a spoof email address set up to impersonate Pathé’s chief executive.
Situations like this are more common than you might think
While there were certainly a number of red flags that Pathé’s employee could have picked up on, business email compromise (BEC) schemes are actually a common form of cyberattack — and often successful.
This month, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of Treasury, released an updated advisory on BEC schemes. The new advisory reflects just how easy it is for someone gather information on an organization and pose as a boss in order to mislead employees into transferring funds to outside account.
In fact, instances of email scams are increasing. As the report states, the number of successful email scams have more than doubled between 2016 and 2018, with an average of over $300 million per month in attempted thefts. What’s more, the advisory shows these attacks are moving beyond traditions wire-transfer schemes to include virtual currency payments, automated clearing house transfers and even purchases of gift cards.
How it Happens
According to the advisory, scammers have become successful in impersonating leaders within an organization by identifying vulnerabilities within the targeted company. They accomplish this in two main ways.
The first method is by gathering publicly available information. This could include information listed on an organization’s website, or even employee information found on LinkedIn and other social media sites.
The second method is more nefarious, including “cyber-related reconnaissance efforts.” In other words, scammers gather more intimate information on an organization through methods such as phishing campaigns and malware.
What You Should Do
Of course, organizations cannot respond to these risks by closing themselves off to the outside world. Publicizing what your business does and speaking with potential customers is an important part of how business grow. However, there are common sense steps organizations can take to prevent the success of these email schemes.
The FinCEN advisory suggests all organizations should assess their risk around business processes and practices. They suggest all organizations put in place a multi-faceted verification process for all electronic transactions. For instance, before any funds are transfered, steps need to be taken to verify all participants in the transactions are who they say they are. This includes using multiple means of communication (email, phone, etc.) and contacting others authorized to conduct transactions. Organizations should also put in place a step-by-step policy for transferring funds both within and outside the organization.
The bottom line is that mail schemes succeed because someone’s been tricked. All organizations need to invest in proper training and awareness-building. In fact, after the attack, Pathé’s CFO stated that the company “never trained or instructed him to identify fraud.”
BEC schemes can target employees at any level of your organization. Taking the time to teach all employees to identify fraudulent emails, and even simulating phishing campaigns can go a long way to prevent email scams from taking place.