When cyber pirates prowl at C level: The billion-dollar scam behind business email compromises
It can happen to anyone in your organization: He or she receives an email requesting an electronic funds transfer for a legitimate business need. It looks like it came from the CEO or some other senior executive and on the surface meets legitimate requirements. Thus the transaction gets approved and completed.
And before any flag is raised, your company has lost money to a fraudster.
This scenario happens so often that the FBI estimates domestic and international losses associated with these crimes amount to $5.3 billion. According to a public service announcement the bureau issued in May, losses soared close to 2400 percent just between January 2015 and December 2016. The FBI has even introduced a process financial institutions can follow should they encounter this fraud type.
Business email compromises (BEC), also known as “CEO fraud,” continue to skyrocket. Highly profitable to criminals, BEC targets the potential high transaction value of electronic funds transfers. And fraudsters, ever resourceful in their malfeasance, have turned to subversive means to steal from organizations, such as impersonating executives.
Losses of this type average $67,000 each, a stunning 33 times the average loss for consumer checking fraud. Individual incidents can and do easily run to seven figures, which could bankrupt a smaller business. A notable recent CEO fraud instance led to a loss of $55 million. It remains one of the largest CEO frauds ever committed, and the fallout couldn’t have been more heartbreaking the innocent executive. CEO Walter Stephan of FAAC, an Austrian aircraft component manufacturer, eventually lost the job he’d held for 17 years.
To combat these attacks, organizations need to implement advanced and accurate multi-layered security controls. These range from internal process controls (which teach employees how to spot fraud) to solutions that analyze patterns and flag potential frauds before the transactions go to the settlement systems.
C-level executives and other leaders within organizations can consider these four protocols to prevent CEO fraud:
- Create special, risk-based processes for approving unusual transfer requests. For example, establish specific amount thresholds and leverage analytics to flag locations outside of the continent or behavioral deviations (requests for $10,000 or greater, for example). These can trigger a second review as they add a security layer for any request that seems contrary to the organization’s normal activity.
- Outsource the review of transfer requests. Use an accountant or financial assistant outside your company to review wire transfers in-depth to prevent unintended fraud activity.
- Scan your email system regularly. Fraudsters hack into email servers and send counterfeit requests from authentic C-level email addresses. This becomes almost impossible to trace when the criminal deletes outgoing messages. Routine testing of servers, along with regularly updating passwords, aid in preventing these hacking attacks.
- Use analytics and predictive techniques for real-time detection. Companies determined to fight CEO fraud can partner with outside vendors to build predictive models based on company- specific data, consortium data or a hybrid of the two.
Consumers and businesses expect access to their money and payments in real time—and as more real-time settlement systems come on line globally, the risk of potential fraud grows. The faster the money moves, the faster it can be lost in fraudulent situations. Fraud involving these types of transfers threatens organizations of any size. In offering a fast, convenient way to send payments to vendors, clients and partners, an organization must also have a robust defense system in place.
CEO fraud is for real. No executive who has worked for years to earn their good name should have it stolen for the sake of a bad deed.
Want more Banking Strategies? Sign up for our free newsletter!
Andrew Davies is the vice president of global market strategy and financial crime risk management for Fiserv.