A ruse by any other name, invoice redirection scams are a huge and growing business problem. They’re also known as fake boss scams, impersonation fraud, CEO fraud, or business email compromise, and they’ve risen by 58 per cent in the past year. That’s according to Lloyds Bank which estimates that UK SMEs lose £27,000 on average to such scams. The bank says this type of fraud affects up to half a million businesses.
Here’s how it works: criminals write an email supposedly from a company CEO or CFO, and send it to an employee requesting an urgent payment. Then the unwitting worker transfers the cash to an unauthorised account belonging to the criminals.
You know my name
Despite the name ‘CEO fraud’, bosses are rarely at risk from these scams. Barracuda Networks recently analysed 3,000 scam messages from its Sentinel system and found just 2 per cent target CEOs. Their names are more likely to appear on the emails that scammers send to other employees. Most of these messages land in the inboxes of staff in sales, accounts, operations or marketing departments. To avoid email filters, 60 per cent of messages don’t include links.
Criminals’ efforts are relentless: Valimail estimates that there are 6.4 billion fake emails in circulation every day. Help Net Security said this shows the scam isn’t just a social engineering problem. Because email has no built-in authentication mechanism, it’s easy for criminals to spoof senders.
Stop making cents
Fortunately, there are resources to help recognise these scams and prevent them from working. This month’s SANS Ouch! Newsletter includes tips on spotting and stopping BEC fraud. Lloyds released an awareness video to go with its survey as part of an awareness raising campaign with Get Safe Online. The short film portrays lookalike CEOs, showing how easy it is to appear to be someone else. We’ve also blogged about CEO fraud before and how to avoid becoming a victim. For example, making payment processes more rigorous can reduce the chances of the scam working.
To end on a positive note: the crime doesn’t always pay. Irish police raided 15 homes around Ireland in September as part of a major fraud investigation. They had been tracking a gang they believed were laundering €14.6 million in proceeds from scams like invoice redirection. The crackdown shows why it’s important for victims to report these crimes to police. “While your individual experience as a victim of cyber-crime may not lead directly to an arrest it is invaluable to law enforcement as a source of intel,” said BH Consulting CEO Brian Honan.