One Friday morning, CEO Carole Gratzmuller emailed her accountant to ask for a money transfer as part of the purchase of an overseas company. By noon, the accountant had done as asked, and transferred £372,000 to foreign bank accounts.1
The punchline? Gratzmuller had never sent that email.
Her company was the victim of a cybercrime called executive whaling or business email compromise – a type of fraud that costs UK businesses tens of millions a year.2
How does it work?
Cybercriminals pose as top executives and administrators, typically contact someone in the finance department and request payments to be made into bank accounts, often as part of a highly sensitive acquisition, a merger or a property purchase.
Another scamming scenario is when the cybercriminal takes over a company email account, sends invoices out to suppliers and directs the payments to bogus accounts. Fraudsters may also be after data rather than cash – requesting personnel information, for example.
The contact can be by email, phone or a combination. Sometimes, a second fraudster is brought into play to pose as a lawyer and further legitimise the transaction.
While limited companies and companies with several offices tend to be the most targeted, fraudsters are increasingly going after smaller businesses, as they can be more vulnerable.
What's the fraudsters' secret?
The scammers succeed because they're smart. They use public information from places like LinkedIn and Facebook to make emails utterly convincing. They often stress the urgency, not giving the victim the chance to reflect or question. And they may pick a time when the CEO is out of contact, so that the victim can't double-check.
The first step to protecting yourself and your company is to train your staff in what to look out for. Ensure everyone, not just finance team members, knows how to identify and deal with phishing attacks. Make sure staff know they shouldn't be afraid to query a request.
The most common clues to watch for in emails include clumsy wording and misspellings, slight differences in the company name, email addresses or URL and suddenly urgent or unusual requests. To be sure, test-phish your staff regularly to see where the vulnerabilities lie.
Four steps to cybercrime prevention
- Create a process that allows staff to check whether communication from senior members of staff is legitimate – two points of contact, for example.
- Have a robust policy for money transfers. It should limit wire transactions to relatively small amounts. Anything above that threshold should need further authorisation.
- Identify the executives most at risk – the CEO, managing director and HR, accounting and IT directors, for example. Review their publicly visible information – everything from job descriptions to out-of-office details – to ensure it couldn't be useful to a fraudster.
- Ensure your technical security is up to the job. This could be email filtering, two-factor authentication, wifi access for contractors, or staff access and permission levels, for example.
To report a fraud, call Action Fraud on 0300 123 2040 or use the online fraud reporting tool: https://www.actionfraud.police.uk/news/alert-fraudsters-that-claim-to-be-your-ceo-jul16.