Back in 2016 we highlighted a scam in Australia favoured by external fraudsters that appears to involve organised criminal elements. We’re still seeing variants of this fraud some of which are, unfortunately for some organisations, succeeding.
Let’s start with the history of this scam’s modus operandi (MO), its many variants, and how to help protect your organisation. The purpose of this article is not to raise your scepticism to the “Trust No One” extremes of X-files’ legendary investigator, Fox Mulder; rather to have you consider that even a mildly elevated level of awareness and caution goes a long way to help avoid falling victim.
The US Federal Bureau of Investigations (FBI) and Interpol started tracking a global proliferation of these types of more advanced email-enabled scams back in 2013. They dubbed this scam the “Business Email Compromise” (BEC)*. The basic premise follows:
- The perpetrator adopts or hijacks the electronic identity of a trusted supplier or employee (most often a senior manager or C-suite member). Identities may be adopted via research of social media or other internet resources and then using ‘lookalike’ email addresses / names and stolen brand imagery. In some instances, this may be achieved through a more sophisticated hijack to gain ‘intel’ or to conduct the scam, including gaining access to the real UserID and password. This can occur through provision of a ‘free’ WiFi network, malware infestation or exploiting weaknesses in common apps on smart devices.
- Communication is made with an employee of the target organisation, usually in a finance, accounts payable or payroll function (i.e. those with access to pay cash, change bank details, or access sensitive information).
- This communication often starts with ‘grooming’ the employee to build rapport and create trust with the perpetrator.
At some point the perpetrator drives the employee to take an action, being either to:
- provide the perpetrator/s with a copy of the organisation’s finance manual (or similar)
- make an ‘urgent’ electronic funds transfer (EFT) to a specific bank account (usually intentionally sent late in the business day)
- change a valid supplier or employee’s bank account
If EFT or further payments are successful, this money is usually transferred or split across to other banks until sent overseas or withdrawn from a compromised bank account of some other unsuspecting victim (a manner seen often in money laundering).
The alarm is raised only when the supplier or employee becomes aware they haven’t received their payment. Often, this can be after multiple payments have been made, giving the perpetrator ample time to siphon the funds off, making recovery hard if not impossible, and leaving the victim with no recourse except possibly insurance if they are covered.
By now you’re probably thinking, thanks Sarah, another risk to worry about. But, never fear, the answer to help you mitigate this risk is here.
Education is critical to success. Make your employees aware of this scam (and its many variants) and keep it front of mind. Unlike many vaccinations and antibodies, ‘awarebody’ defences can fade quickly over time. Provide your employees training ‘boosters’ to build an ongoing resilient defence against emerging variants.
Policies and procedures
Check your policies, procedures and controls are designed and operate effectively to mitigate these specific types of scams. For example, any request for money should be checked with a call to a known phone number. Supplement this with a follow-up notification to a secondary or secure email address to notify the supplier or employee.
Empower your employees to embrace their ‘gut’ or ‘spidery sense’ and check with a colleague or line manager if they feel uncertain, even if the request appears to be coming from the CEO. This small amount of extra time is insignificant in comparison to the impact of a successful scam. In addition, it’s important the organisation’s reporting avenues are open and actioned appropriately.
Agreed consistent response
Know how to respond if the ‘unthinkable’ but hopefully avoidable occurs. Whilst Ghostbusters may be forefront in your mind when asked, “Who you gonna call?” it’s imperative to have an incident response plan in place. Time is of the essence and every passing moment reduces the likelihood of the funds being recovered.
Organisations that may need to be contacted include the following:
- Your organisation’s bank and the bank to whom the funds were transferred to see if the funds can be halted / returned.
- Local law enforcement and the Australia Cybercrime Online Reporting Network to consider what criminal investigation may ensue.
- Your organisation’s insurance company, assuming you have relevant insurance in place.
Lastly, whilst such a scam may bear the hallmarks of an external Business Email Compromise attack, any investigation should be conscious of the ‘Insider Threat’. There are examples whereby the attack has involved collusion or been entirely perpetrated by a staff member or vendor.
So I’m wondering how you feel now. Concerned about scams? Very wise. More aware? Absolutely!