Have you trained your employees to be on the lookout for bogus emails?
I don’t mean the typical malicious emails that fill our inboxes every day, claiming to be phony fax machine notifications or bogus invoices.
Those all-too-familiar types of emails can carry malicious payloads, but what I think you should increasingly be wary of are the emails that claim to come from your senior members of staff.
In recent months a series of companies have fallen foul of business email compromise (BEC) attacks, where scammers have impersonated executives in order to steal sensitive information or initiate unauthorised wire transfers.
Past corporate victims have included Snapchat and Seagate, where employees were duped into believing that they were helping out a senior member of their management team when they sent out IRS W-2 tax forms.
Sadly, the data (which included workers’ social security numbers, salaries, and addresses) were instead being sent to an attacker.
But those attacks seem insignificant compared to the business email compromise attack which struck Austrian aerospace parts manufacturer FACC earlier this year.
FACC, whose customers include Airbus and Boeing, explained in January that it had been attacked by fraudsters who stole approximately 50 million Euros, posing as CEO Walter Stephan.
A bogus email, claiming to come from Stephan, asked an employee to transfer the huge amount of money to an account for a – what turned out to be fake – acquisition.
The company’s senior management and finances were shocked by the incident – which they dubbed the “Fake President Incident”.
FACC’s CEO was fired in February, and this week its 2015/2016 financial results revealed that the company had taken a 41.9 million Euros charge over the fraud, having managed to block 10.9 million Euros from being transferred by the criminals.
But the costs have not ended there. Alongside the revelations in its financial results, FACC also announced that CEO Walter Stephan has also been fired with immediate effect:
“The supervisory board came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular in relation to the 'fake president incident’”
Clearly, no company wants to suffer a security incident like this, and no CEO wants to lose their job because of a BEC attack.
But with FBI statistics revealing that billions of dollars are being lost to business email scams and fake CEO fraud, the problem isn’t likely to go away any time soon.
The best defence must incorporate training all members of staff about the dangers of fraudulent email, and to not be afraid of “saying ‘no’” when they receive an urgent email apparently coming from a board member that asks them to move data or transfer money in an unorthodox manner.
Here is a list of five major mistakes that can leave any CIO jobless
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.
View all postsDon’t miss out on exclusive content and exciting announcements!