An email marked "urgent" that comes from your boss will certainly get your attention. However, if that email asks you to send money to a vendor, you might want to put on the brakes. It could be a setup.
In the scam, the "boss" is actually a hacker posing as a company executive -- a crime also known as “Masquerading.” The hacker makes a request to direct a wire transfer to a new vendor. For those who routinely make such transfers, it might not seem out of the norm.
Recent FBI warnings indicate a dramatic increase in the Masquerade email scam over the last two years -- over 17,000 firms have been victimized and had losses of $25,000 to $75,000+.
Most of these losses were completely preventable through tighter internal controls and employee education. These scams are ‘low-tech’ as the cyber-thieves are targeting human vulnerabilities to carry out their crime. The sting leverages today’s corporate culture against you. Masquerade attacks use social engineering to trick your accounting staff into making fraudulent wire or ACH payments by impersonating the company CEO or CFO. A criminal will pretend to be an executive of a company and uses a targeted spear-phishing campaign to infiltrate the company with an email attack.
Typically, the Masquerade scam unfolds as follows:
The crook – acting as the CEO or CFO – emails a targeted employee in finance or corporate accounting. The company’s employee receives an email from the executive requesting that funds be wired in order to pay for an urgent business-related expense. The emails are typically well-written and look authentic; they include names, wire details, amount and a reason for the request.
The fake executive schedules the attack to coincide with a real executive’s business trip. The crook then requests immediate payment for a confidential business expense to a vendor or an investment. Money is then transferred to a bogus account controlled by the thief. The crook “masquerades” as the executive, convincing lower-level employees to schedule real wire or ACH transfers.
In many cases, the fake payment request is similar to a normal expense so as to not raise suspicions. Because an employee is eager to accommodate the CEO, they assume the sender’s identity is real and there is urgency associated with the message. As a result, company security practices are often bypassed.
Alternative versions of masquerading involve phone calls supposedly to update vendor files or from someone posing as a top company executive demanding account information.
Many cyber-security attacks can be countered by employee awareness, enforcement of effective internal standards and embracing the security measures offered by your financial institution. The foremost line of defense against fraud begins with you and your company. Check out our Cybersecurity Checklist for Your Business to get started.