Here at BH Consulting we have become aware of a number of attacks, known as CEO attacks, Invoice Redirection Fraud, or Business Email Compromise (BEC), against Irish businesses. A number of these attacks have resulted in financial loss for the victim companies. The Central Bank of Ireland is one example, which Lee covered in an earlier post. Ubiquiti Networks, a US based network technology multinational, reported that it fell victim to such an attack and lost over $39 million as a result. While IRISSCERT, Ireland’s first Computer Emergency Response Team, reported at its annual Cybercrime Conference in November that is also witnessed a large number of CEO Fraud attacks.
The premise of the attack is the criminals impersonate the CEO, or other senior manager, in an organisation (note some attacks impersonate a supplier to the targeted company). The criminals may do this by either hijacking the email account of the CEO or setting up fake email accounts to impersonate the CEO. The criminals will send an email appearing to come from the CEO to an individual within the company who has access to the company’s financial systems. The email will request that payment be made to a new supplier into a bank account under control of the criminals. Alternatively the email may claim the banking details for an existing supplier have changed and request payments into a new bank account under the control of the criminals.
We recommend that companies take the following steps to avoid becoming a victim of this scam;
- Ensure staff use secure and unique passwords for accessing their email.
- Ensure staff regularly change their passwords for their email accounts
- Where possible implement two factor authentication to access email accounts, particularly when accessing web based email accounts
- Have agreed procedures on how requests for payments can be made and how those requests are authorised. Consider using alternative means of communication, such as a phone call to and trusted numbers, to confirm any requests received via email.
- Be suspicious of any emails requesting payments urgently or requiring secrecy.
- Implement technical controls to detect and block spam emails and spoofed emails.
- Ensure computers, smartphones, and tablets are updated with the latest software and have up to date and effective anti-virus software installed. Criminals will look to compromise devices with malicious software in order to steal the login credentials for accounts such as email accounts.
- Provide effective cybersecurity awareness training for staff
If your company falls victim to such as scam you should firstly report the issue to your financial institution and then report the issue to An Garda Siochana.