If there is one thing you can be sure of in the world of financial services is that as sure of as the sun will come up tomorrow, the regulators will be on your doorstep regulating. At Patrina, we know knowledge is power. That’s why we want to give you plenty of it. We’re teaming up with industry leaders to give you their boots on the ground perspectives on regulatory compliance and living under the watchful gaze of an entire alphabet of regulators.
At Patrina, our mission is to give you the tools to take charge of your business and take charge of compliance. Fines are expensive. Compliance doesn’t have to be. Read on to hear what David Zweighaft, CPA/CFF, Managing Director of DSZ Forensic Accounting & Consulting Services had to say about the growing risk of Executive Impersonation, or click here to access the entire whitepaper… and let’s talk.
The new cyber attack — executive impersonation
The disclosure of data breaches continues to worry consumers and corporations every day. Now there is a new and growing cyber attack risk that has gone largely unreported: Business Email Compromise (BEC). In 2015 the FBI’s Internet Crime Complaint Center (IC3) issued three Public Service Announcements related to the use of a company’s email system to criminally extract funds, noting that in 2014 US companies lost $179 million. The scheme is a variation of the practice of spear phishing, where spoof or fraudulent emails are directed at company personnel in an attempt to obtain account numbers, access codes or other sensitive information. This newest incarnation, Executive Impersonation, is more sophisticated, requires significant research and diligence on the part of the criminal hacker, and can have a huge financial impact on the victim company.
Executive Impersonation occurs when the criminal creates a fake email that closely resembles the company’s own email, and appears to come from a high-ranking executive. The recipient is an unsuspecting mid- or lower-level employee, selected for his or her access and authority to transfer large sums of money between subsidiaries or to suppliers on behalf of the company.
BEC scams usually begin in one of two ways:
Sophisticated hackers, however, usually research their target and the company as a whole in order to craft highly convincing emails. Using information gleaned from mining corporate web pages and social networks, the impersonations used in the BEC emails can be extremely accurate and convincing. Since the email appears to come from a known and trusted source, the request to release valuable data or to take urgent action appears more plausible.
In order for a BEC scheme to be successful, the criminal researches social media, the business press and other company resources to get information about:
This information is then translated into a carefully crafted “look-alike” email, purportedly coming from the executive, requesting an emergency transfer, immediate payment of an urgent invoice, or making a payment in anticipation of an undisclosed merger or secret acquisition. The request is usually characterized by a high degree of urgency (“ASAP” or “immediately”).
The psychology behind BEC’s success is that the employee is motivated to be responsive to the executive’s request, and is willing to bypass the typical controls associated with a normal wire transfer request. The more credible the appearance of the email, and the more authentic the tone and wording of the message, the more likely it will succeed. To enhance the authenticity of the scheme, the fraudulent email generally contains attachments on company letterhead directing the target employee to wire corporate funds to a particular person (usually a trusted vendor contact) at an overseas bank.
Every investment carries a certain amount of risk. But that’s not what keeps regulators up at night. Rather, it’s bad actors acting badly. That’s why compliance matters. And that’s what keeps compliance professionals like you up at night. So let’s talk (212-233-1155). Ask about Patrina’s comprehensive, 8-module compliance solution and compliant data capture, file storage, and records archiving specifically designed for the financial services community. We’ve got you covered.