INSUBCONTINENT EXCLUSIVE:
Image copyrightGetty ImagesThe email came in like any other, from the company chief executive to his finance officer."Hey, the deal is done
Please wire $8m to this account to finalise the acquisition ASAP
Needs to be done before the end of the day
Thanks."The employee thought nothing of it and sent the funds over, ticking it off his list of jobs before heading home.But alarm bells
started to ring when the company that was being acquired called to ask why it had not received the money.An investigation began - $8m was
most definitely sent, but where to?We will never know
Some of the money was clawed back by the banks, but most was lost to hackers who may have cashed out using an elaborate money-laundering
network or simply moved on to the next victim
Meanwhile, the finance officer is left feeling terrible and the company is left scratching its head
After all, the email had come ostensibly from the boss's address and his account had not been hacked.It was left to cyber-security experts
to break the bad news to the firm: emails are not to be trusted.CEO FraudThis is a real-life example of a cyber-attack known as Business
Email Compromise, or CEO Fraud
The attacks are relatively low-tech and rely more on social engineering and trickery than traditional hacking
Cyber-criminals simply spoof the email address of a company executive and send a convincing request to an unsuspecting employee
The message looks just as though it has come from the boss - but it has been sent by an imposter.Image copyrightGetty ImagesThere is usually
a sense of urgency to the order, and the employee simply does as they are told - maybe sending vast amounts of money to criminals by
since 2016.Earlier this month, 281 suspected hackers were arrested in 10 different countries as part of a massive takedown operation of
global cyber-crime networks based on the scams
Ryan Kalember, executive vice-president of cyber-security strategy at Proofpoint, said: "Business Email Compromise (BEC) is the most
expensive problem in all of cyber-security
There is not a single other form of cyber-crime that has the same degree of scope in terms of money lost."Proofpoint was appointed to deal
with the CEO Fraud incident described in this article.Mr Kalember and his team have seen the tactics evolve during the past year and have
some interesting observations and warnings for potential victims.Non-executive targets The traditional targets for BEC attack are the
"C-suite" figures of major companies, such as chief executive officers or chief finance officers.But recently, criminals have been going for
lower-hanging fruit."The 'very attacked people' we now see are actually rarely VIPs
Victims tend to have readily searchable emails or easily guessable shared addresses
"VIPs, as a rule, tend to be less exposed as organisations are generally doing a fairly good job of protecting VIP email addresses now," Mr
Kalember added.The trend has also been noticed by cyber-security company Cofense.In some cases, employees' emails are spoofed and the
attacker asks the human-resources departments to send a victim's wages to a new bank account."A smaller but much wider reward system will
be a deliberate attempt to fly below the radar to target financial processes that are likely to have weaker controls, yet still produce
attractive returns," said Dave Mount, from Cofense.Monday warning Another method being seen more regularly is scam emails sent on Monday
morning.According to Proofpoint, more than 30% of BEC emails are delivered on Mondays as hackers try to capitalise on weekend backlogs.They
hope "social jetlag" will mean employees are more easily fooled by fake emails and other social-engineering tricks
"Attackers know how people and offices work
They depend on people making mistakes and have a lot of experience with what works
This is not a technical vulnerability, it's about human error," said Mr Kalember.Fake Forward Fake email threads are part of another
technique that has evolved.Attackers start the subject lines of their emails with "Re:" or "Fwd:" to make it look like their message is part
of a previous conversation.In some cases, they even include a bogus email history to establish apparent legitimacy.According to researchers,
fraud attempts that use this technique have increased by more than 50% year-over-year
Mr Kalember says all these trends follow a predictable pattern based on our own behaviour."One of the reasons why this is a particularly
difficult problem to stamp out is that it relies on the systemic risk of all of us trusting email as a means of communication," he
said.Unfortunately for businesses and unwitting employees, BEC is unlikely to go away
Email spoofing is technically very simple, and free-to-use online services offer a low barrier to entry.But there are lots of things
companies and employees can do - including being vigilant and aware of the attacks.Companies could insist on so-called two-factor
verification before a payment is sent
All of this, of course, relies on people taking a step back from what is often strived for in the workplace - speed and efficiency.Action
Fraud and the UK's National Fraud Intelligence Bureau (FNIB) operate a 24/7 hotline on 0300 123 2040 for businesses to report live
