The effectiveness of an email scam like CEO fraud relies on one person in the target organisation having the means and the opportunity to make payments. It’s not a security problem that technology alone can fix.
This type of scam came to mind as news emerged of yet another victim. The Irish Independent reported that criminals stole €110,000 from University College Cork through a series of frauds in 2015. There are a couple of points to take away from this story. UCC subsequently made “significant investments” to improve its security, and spent most of that money on user awareness training. Also worth noting: the university’s insurance policy covered much, but not all, of the stolen money. (The article doesn’t mention whether this was a specific cyber risk policy.)
Who authorised this?
Incidents like this raise several questions. Here’s mine: how is it that when a fake CEO gets in touch, requesting payment to a new bank account, it was possible to authorise same-day payments of several thousand euro? By contrast, here’s a far more common scenario in companies up and down the country. A legitimate supplier contacts an organisation’s accounts department to enquire about a payment and they’re fobbed off with stock phrases like “our payment terms are 60 days”.
Late payments are a genuine problem for many companies. In Ireland, it takes up to 61 days on average for a small business to receive payment. The situation seems to be just as bad in the UK, where late payments are costing small and medium sized enterprises more than £2.1 billion per year.
CEO fraud, or Business Email Compromise as the FBI prefers to call it, reminds us once again that security is not just a technical issue. When costs add up to a collective $5 billion, it’s a business problem. (That number is the global profits for email scams since 2013, according to the FBI.) When only one person in a company has permission to authorise large payments, then that’s a business process problem.
There are various ways to fix this issue that don’t involve technology. Companies could make it compulsory to have a second signatory whenever payments exceed a certain amount of money. Martin Licciardo, a special agent at the FBI’s Washington Field Office, said: “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”
By taking either of these steps, companies could make it harder for scammers. Why not make life easier for legitimate suppliers to get paid in reasonable time instead?
Otherwise, what is the point in having a payment process if it’s set aside at the first sign of a “new supplier” who demands immediate money upfront? Who does business that way (apart from cyber criminals, obviously)?
Answers on a signed purchase order please.