CEO Fraud. The Billion Dollar Scam

Last month I shared a story about a social media scam. This month I want to share a story about a type of Business Email scam called CEO Fraud.

“CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate
executives to try and fool an employee in accounting or HR into executing unauthorized
wire transfers, or sending out confidential tax information. According to FBI statistics, CEO
fraud is now a $26 billion scam.”

I was recently contacted by a friend & previous co-worker who returned to the islands to help his father with their local food distributor business. His father received an email from one of their vendors, only hours after his company had sent the vendor information regarding payment processed, requesting that check payment be stopped and ACH payments be made instead. The email contained
details pertaining to the exact payment and directions on how to make a new payment. It’s a vendor they had worked with many times and trusted, so no big deal.

It wasn’t until AFTER the company, sent a $130,000.00 payment via ACH did they realize, it was a scam! Immediately after they identified this, my friend called the company’s bank, only to be told there was nothing the bank can do. Thankfully, my friend was VERY persistent and had a family member (Auntie) within the bank that was able to step in and assist. Auntie was able to figure out what
bank received the large transfer, contacted them to STOP the bank from releasing the funds to the account holder, and reverse the transfer back to the victims. This is NOT a common outcome. Without a connection, you’ll likely receive “out of luck” responses from your bank.

The findings; hackers had infiltrated the vendors emails and obtained enough information to:

  • Identify a trusted vendor of company that sent or received large/frequent payments.
  • Know the amount of the transfer and how payment was being made.
  • Create a similar email address that was hard to spot the fake to send correspondence from. (Example changing ie to ei in the email. Instead of [email protected] the email was from [email protected]).

Hackers tried AGAIN to steal money from this company within the same week. This time sending an email from a spam address with a contact name familiar in the food distributors contact list. The recipient had to review sender details to spot the scam, where they again asked for a large sum of money. All of this opened the victims up to being hacked themselves. Hackers made it into the food distributors web mail and started doing re-directs on incoming emails, creating more scams and more hacks.

Businesses beware! It’s not just you or your employees under attack. In the same week I heard the above story, another friend revealed a vendor of their company was hacked and had emails sent on their behalf. So emails coming from true verified email addresses, asking for money or sensitive information, and changing account numbers so your money is routed to the hackers direct account.

We share this with you to encourage you to consider using a program like KnowBe4 to train yourself and your employees to
spot fraudulent emails and respond appropriately. Contact us for more information!

To watch the interview about ACH Fraud with my fried Matt: https://www.hitechhui.com/2020/09/23/ceo-fraud-inside-a-cyber-crime-story/

- A Message from Anne-Marie Lerch, CXO

Download a copy of the SEPTEMBER 2020 NEWSLETTER

Related: 3 Critical Cyber Security Protections EVERY Business Must Have In Place NOW To Avoid Being Hacked

Related: Vendor Spotlight: KnowBe4 Security Awareness Training