The Big Spike In ‘CEO Fraud’

The Big Spike In ‘CEO Fraud’

According to the 2019 edition of the FBI’s Internet Crime Report, last year was both a lucrative and diverse year for cybercriminals and scammers. All in, the FBI’s Internet Crime Complaint Center (IC3) received a total of 467,361 complaints, with reported losses exceeding $3.5 billion.

As for the scams themselves, those varied widely both in terms of tactics and targets. Phishing/vishing/smishing/pharming, non-payment/non-delivery, extortion and personal data breaches were among the favored attack patterns last year.

As for the areas where scammers managed the biggest hits, business email compromise (BEC), confidence/romance fraud and spoofing were the top three types of crime in terms of monetary losses.

And in that top three, the FBI noted, BEC (sometimes called EAC, or email account compromise) was the absolute leader in generating losses, representing about $1.77 billion (or slightly over half) of all losses tracked in 2019.

That’s an unfortunate but in some ways impressive record, considering that most BEC/EAC fraud relies on what the FBI referred to as “the oldest trick in the con artist’s handbook: deception.”

While there are variations on technological involvement or sophistication in a BEC attack, the basic details are always similar: The scammer gains access to (or spoofs) a legitimate email address at a firm, usually one with a fair amount of power, so they can use the account to do things like send fake invoices through the system – or to use any tactic that will essentially push a firm to deliver funds to a fraudster’s account instead of to a legitimate one.

As Colin Bastable, CEO of security awareness and training company Lucy Security, noted in an email to PYMNTS that this type of fraud doesn’t necessarily require hacking technology on an expert level. Instead, it targets a much weaker link: the employee who is using it.

“BEC is commonly referred to as CEO fraud, because it relies on the exploitation of authority figures and the sense of urgency that loyal subordinates have for the boss. The C-suite can be an invaluable ally for hackers, because they often override rules and processes ‘to get the job done,’” Bastable noted.

A sufficiently committed scammer turned detective, he noted, can usually get a good working understanding of the company’s hierarchy and movement patterns. A recent variation on the theme is vendor email compromise, where the hacker gains access, pretends to be a supplier and then slips into the payment flow to intercept payments from buyers.

Another popular variation on BEC scams in 2019, according to the FBI, was the payroll diversion scam, where hackers use a spoofed or hijacked employee account to request that an employee’s direct deposit is routed to a new bank account, which usually ends up being a prepaid card that is emptied almost immediately after the deposit is made.

And while the BEC is not the most common form scam, it is a lucrative one. There were almost 24,000 complaints in 2019 and, according to the FBI, each successful attack costs roughly $75,000. By comparison, phishing scams usually bring in between $300 – $500, while ransomware attacks cost around $4,400.

The size and scope of the problem has been steadily rising since FBI’s 2017 Internet Crime Report. As Lucy Security’s Patrick Hamilton noted in an email sent to PYMNTS, companies and their leadership need to rethink their digital security hygiene, particularly around email and invoice policies.

Because, according to the FBI and myriad other experts, BEC is not going anywhere anytime soon. It is an inexpensive attack to launch, since it doesn’t require much in the way of heavy-duty technology, nor does it require what Lucy Security’s CEO Colin Bastable calls “super-hackers.” Fraudsters just need to be well-informed and reasonably good at social engineering.

And while there are plenty of technological innovations to help deter fraud, the low-tech foundation is for company leaders to build security protocols that they themselves are expected to consistently follow.

“To defend themselves, organizations need to encourage subordinates to stick to the rules and resist pressure from the C-suite to make exceptions, use personal email and act with excessive haste,” Hamilton noted. “BEC fraud does not respect seniority, and it pays exceedingly well.”