It’s 4 p.m. on the Friday before the long weekend and you receive an email from the CEO just before heading out. The email explains that the CEO was unable to reach the CFO, and that he needs you to send an urgent bank transfer to a foreign bank account for a last minute business order. You have done this previously when the CFO was on vacation, but the urgency of the request makes you a bit uneasy, but it’s the CEO so you follow though and get all the information ready to be processed. What’s the worst that can happen?
You reply back and ask for the necessary details to perform the bank transfer and you CEO gives you a number to call. You call and are greeted by the contractor and are given all the requisite information, but something is up. This all seem very unusual and rushed. You continue anyway. The CEO himself has instructed you to do so. All the information is punched in and the transfer is sent. After a few moments you receive confirmation that the transfer went through and leave the office and think nothing off it.
A few days pass and you receive an urgent call from your CFO, inquiring about an unknown transaction that occurred and you mentioned the last minute business order. The CFO mentions that she isn’t aware of any recent last minute business order and calls the CEO to clear up the matter. Over the next couple of days of investigations and inquires, it is discovered that you were targeted and the victims of a CEO scam.
This is a typical story many victims of CEO scam encounter. They receive an email asking for a last minute money request or transaction, received a call with the account details and information, and send money never to be accounted for or seen again. Called the CEO scam or business e-mail compromise scam (BEC), the objective is to infiltrate an SMB and initiate an unauthorized transfer of funds. The culprits accomplish this by studying and targeting companies over a period of months, doing social media research, telephone calls, surveys requests and targeted emails to gather as much information as possible on a company including their executives and financial habits. Collecting and using this wealth of information, allows these fraudsters to attack the weak points and vulnerabilities of their target.
A growing problem, companies around the world are falling prey to this type to this type of scam.
In France alone, more than 700 businesses have become victims and lost more than 300 million Euros since 2010. Closer to home, in Quebec, there has been sixty cases of this occurring in the last two years, with approximately $16 million being stolen. The Canadian Anti-Fraud Centre estimates more victims, as only 5% of fraud are actually reported with the vast majority of them remaining undetected or not being reported.
According to an FBI report, more than 7,000 US companies have fallen prey to CEO scams losing $750 million between October 2013 and August 2015. This leaves many SMBs wondering if they are being targeted or have already fallen victim to the CEO scam.
This is compounded when considering that falling prey to this type of fraud has dire consequences for any company. A French SMB lost $1.6 million Euros following an international money transfer scam and had to file bankruptcy because of it. They were forced into receivership and more than 40 employees lose their job. Consequently, a Saguenay based SMB with over 100 employees was defrauded out of a million dollars and faced similar consequences as a result.
In addition to costing companies millions of dollars, this also damages and psychologically scars employees that were unknowingly involved in the scam, impact their careers and speaking their future employment opportunities.
But if this so prevalent, how do SMBs protect against this type of scam? With such an intrusive and growing wave of fraud, the best way you can protect yourself is to be prepared and implement different strategies and plans to avoid becoming a victim.
We at Quartet have identified and list below ways and strategies SMBs can use to protect against becoming a victim of a CEO scam.
1. Implement specific policies and strategies to ensure proper financial transfers.
This is one of the most important preventative techniques. Ensuring and having proper financial transfer policies will help avoid any costly mistakes made by your company. This also help regulates and shines a light on any monetary transfer in your company. Simple policies such as not doing transfer off-hours, having 2-3 financial executive sign off on each transfers, protecting and guarding any financial documents from intruders, and ensuring the vendors/contractors you are using are credible.
Implementing and practicing this techniques will prevent any issues or emergencies coming up over time. It’s also important that once implemented in place and used, that any specific policies and strategies should be routinely updated and validated regularly. Having an outdated or ineffective policies and strategies are as worst as having none at all. Therefore you should continually updated and keep up to date with any new security threats and the ways intruders are targeting and exploiting companies to get a better grasp on how to protect yours.
2. Developing a risk assessment plan.
Having a risk assessment plan is a perfect way of ensuring your security is up to date and full proof. This means developing and implementing a plan of what to do in the case of emergencies and performing routine security test to identify and locate any weak points in your security system and the privacy of your network. This is important for not only providing a real time analysis of weak points in your security, but also allows you the ability to continual improve your current security features. Consequently it provides you the ability to identify potential ways of intruders to break and exploit you security system, providing you with insight into your security attacks and how they occur, which is invaluable.
3. Teaching and training your staff on possible security threats.
Your staff is your first line of defense in any attack, but they can also be your weakest link. The difference between the two is whether your staff are trained and knowledgeable about how to recognize and minimize any potential threats to your network. This can be problematic when considering the majority of your staff are specialist who don’t know much about other areas within your business. Silos of information can be hugely problematic for any organization. Therefore running bi-weekly or monthly training sessions about any new security threats and the best practices to ensure security is something that is duly needed. This will ensure your network stays safe and also educates your employees on what to avoid and what are some signs that you’ve been infiltrated.
This also works hand in hand in ensuring they will notice any fishy or problematic calls or email and give them the knowledge of how to proceed and follow the risk assessment plan accurately in the case of emergencies.
Teaching and training your staff is paramount to keeping any business safe.
4. Have a functional and working IT staff.
Having a fully functioning IT staff can protect you from attacks and ensure your technology is up to date and not vulnerable to attacks. Your IT department will also provide and install security features in your system to detour and curb attacks on your network. This includes the detection and exploitation of any vulnerabilities of your network.
CEO scams work by collecting information and infiltrating networks, so having a fully functional and updated IT network can ensure they won’t have the ability to infiltrate and get the information to perform their objective. This is one of the main defenses against such intrusions.
5. Consult with security experts.
Consulting and discussing with experts is an opportunity for you to get exceptional advice of how to improve your network and security risks. We have seen that security has been the least important part of SMBs and this has to change, and considering that once being the victim of an international money transfer scam, it’s hard to undone the damage. Therefore consulting with a security experts adds the additional benefit of having someone else take a look at your security system and offer ways to improve it and notify you of any weak points or vulnerabilities.
Security experts will also have more specialized knowledge and will be able to recommend needed security updates or help you plan security futures for the future. Taking advantages of seasoned veterans is something SMBs can’t not overlook.
6. Making use of security tools and tricks.
Let’s face it, most companies are up against a threat that is utilizing the most updated tools and tricks to break into your network and access you vulnerabilities. This is why it’s important to make sure you are using the most updated and newest security tools and tricks to stay safe. This means making use of email authentication, intrusion detection systems, activating security logs on your servers, and two-factor authentication (2FA) process. This by no means ensures you’re going to be completely safe, but it add multiple layers of security to your network essentially beefing and protecting your network.
Implementing these strategies will help you keep your SMB safe from falling victim to fraudsters and intruders, as the first step of any defense is knowing what you’re up against and then implementing ways to avoid and prevent any intrusion.
You have to make sure you keep up to date and aware of any new threats to your company. For more information checkout out security as a service page.