CEO-Fraud: How a false email can cost you a lot of money
Talking about hackers and cyber criminals, you probably think of SuperSmart computer nerds as seen in movies and crime series. Those computer geeks who crack in a few minutes encrypted laptops, bypassing door codes and highly secure computer systems.
Why should you steal money if you can get people so far that people just transfer it to you.
But reality is much less exciting. Most cyber criminals know little about hacking and use more traditional methods like extortion and scams. Less difficult and much more result. The tools and methods have not invented them themselves. They just buy them on the “dark web”
Just by one or more simple mails they get accountants and financial Department of companies so far that they transfer large sums to their account.
No coercion or blackmail, entirely voluntary.
A bun monkey story for sure?
It Was only so. It is the harsh reality. For example, the German cable manufacturer Leoni has lost 40 million euros.
The well-known Groeiguru Verne Harnisch has lost $400,000.
And so there are countless examples. Also in the Netherlands. In July 2016 the NRC wrote about it.
It is called CEO-fraud or in the Netherlands Director fraud.
How does it work, you might ask.
The financial department receives an e-mail with the request of the Director to transfer an amount. It is important and it needs to be done fast. It seems so deceptively real and plausible that a financial department can carry it out sometimes without further control. Others are more alert and mail back for some explanation. Only the email address is slightly different. But they don’t spot that. Then they get further details for the assignment.
Now, not everyone will fall for it.. But it’s like SPAM. If you send it to enough companies, only a very small percentage of success is needed to earn a lot.
Not smart, but it happened.
Sometimes they go a step further
In some cases (as with Verne Harnish) they got a few steps further.
First the email of the director is hacked. That’s easier than you might think. We’re messy with passwords. We often use the same password for social media accounts as LinkedIn and for our email. And of course, we also rarely change these passwords. In 2012 112 million Linkedin passwords were stolen. Question of looking up.
An alternative method that cyber criminals use to retrieve usernames and passwords is the interception of public WiFi.
Once inside, the cyber criminals take a while to watch the director’s email traffic. In doing so, they learn what is normal way and find a lot of extra information. Then they imitate the style in the e-mails with the financial department. They can also reply on those emails. They intercept it before the director reads it.
But here in the Netherlands and in the SME sector that not occur you might think?
Yes, the cyber criminals also do it in the Netherlands. For large companies and also for SME companies. Perhaps it is more difficult for us because of the Dutch language. But from experience we know that they learn quickly.
In June 2016, the National Cyber Security Center warned (NCSC) already here.
By now we have the first reports from our customers that they have actually received such a mail.
Can we avoid these emails coming?
Unfortunately, that is not possible.
It’s childishly easy to get an email from a random person. of President Trump, of Santa Claus or in this case the director. Only when you look a little further you see that it is not correct. But not everyone does that. Hackers always use this. Think of all the (false) emails of the well-known banks.
Sometimes the spam filter captures them. But certainly not in all cases.
A slightly different form but just as damaging: Invoice fraud
Paper bills are fished out of the letterbox and changed with their bank account number. Or a letter/email is sent to the financial department with a change in the account number for invoices . A municipality lost 566000.
Or you will be notified that the account number of an invoice has been changed.
Cyber criminals also hack the suppliers of you and interfere in the email conversation of that supplier with you. Like here
Even private it can happen. Here too, cases have been known that people have made their payment to the account of the cyber criminals.
Here again, watch out and check for doubt. Not by email, but by phone.
What can you do against attempts by CEO fraud?
The solution is simple: make the accountant or financial department aware of this danger. Let them be alert to strange or deviant emails. The higher the amount and the more strange the request the earlier the alarm bells must go off. (Think of: new projects, acquisitions, unknown and/or foreign accounts. It’s all signals that something can’t be wrong)
Make sure no one is going to make any money without proper verification in response to an “urgent” email. Just never ever. Always check via the phone.
Help them by never sending a consolidates in that way.
Consider your passwords critically. They are all different. They are not too easy to guess. Change the main ones regularly.
Also had such a mail? Please let me know below.