One of our customers who owns a horse farm was recently attacked using a phishing scam often called “CEO Fraud”. In this targeted attack, the customer’s Accounts Payable department was presented with a large invoice that was followed by an email from the owner of the business asking them to please pay it. Both emails were fraudulent and the scam was unsuccessful in this case. But it is easy to see how this could work and, according to the FBI, has worked to the tune of about $2.3 Billion in business losses.
These attacks are not random phishing attacks but rather require research on the part of the attacker to spoof executive email addresses and create a plausible storyline for the target to follow. According to security reporter Brian Krebs, perpetrators of this scam may actually start at the top by gaining access to the CEO (or other executive) email system to generate the payment request.
What You Should Do To Protect Your Business
We think there are two things that a small business should do now to protect themselves from this kind of targeted attack. Traditional automated phishing and antivirus solutions are not fully sufficient to protect against this sort of attack. In this case, like with many social engineering scams, the weakest link is people, not systems.
- Make your staff, especially those in control of paying the bills, that such scams are active and relevant to their jobs. Simple awareness to the possibility of this kind of fraud will increase their ability to spot slightly unusual our out-of-band requests for payments.
- Institute policies to verify unique or unusual payment requests. Make sure your staff are empowered to double-check requests, even those coming from the top of the organization, if they are in any way out of the ordinary.
Education and remaining alert to the possibility of even slightly out-of-the-ordinary payment requests being fraudulent are important. As always, 2-Factor Authentication is useful; in this case for emails requesting payment, where a policy of verification of the request via a second medium.