It might take just one crafty and well-timed email for a fraudster to breach an organization's financial accounts. And the perpetrators don't even need sophisticated hacking techniques to get in—they can mine crucial information from your executives' public profiles on social media.
In a scam that fraud experts call "executive impersonation," thieves use the internet, social media sites such as LinkedIn, and even "out-of-office" email replies to steal from businesses that use suppliers and bank accounts in foreign countries. In 2014, U.S. companies lost $179 million to these scams, according to the FBI's Internet Crime Complaint Center.
As a new fraud report from the AICPA Forensics and Valuation Services team explains, executive impersonation exploits a value most employees possess: an eagerness to please the boss.
The fraud often involves an email to an employee responsible for wire transfers or other transactions, said David Zweighaft, CPA/CFF, managing director of DSZ Forensic Accounting & Consulting Services in New York City, and the member of the AICPA Fraud Task Force who wrote the report. Typically, the message asks the employee to wire funds somewhere—often to a foreign account to assist with an urgent, high-stakes deal.
Criminals can obtain the names of the executives and employees responsible for financial transactions from company websites or Linkedin, or even by posing as a recruiter and calling an organization to obtain a directory.
The messages they send appear authentic, as they come from fake email addresses that are nearly identical to those of high-level executives. For example, if the actual address is CEO@victimco.com, the fake address might be CEO@vicitmco.com, Zweighaft said.
"These bogus email accounts are rarely traceable because they are one-time-use accounts, often originating from an overseas server," he said.
Usually, fraudsters try to create a sense of urgency in their emails.
"Often, the executive impersonator will indicate that the need for the funds is related to an acquisition or other professional services related to appraisals, due diligence, etc., in connection to an acquisition," said Annette Stalker, CPA/CFF, owner of Stalker Forensics and chair of the AICPA Forensic and Litigation Services Committee. Sometimes, she said, the messages refer to a business deal "where timing is critical and confidentiality is key, particularly to ensure compliance with regulatory bodies."
Typically, potential thieves will deter suspicion by asking for sums of money that are within the usual range that an executive at the company would request.
The timing of the email is crucial. Phishing messages are typically sent when the executives being impersonated are going to be out of the office and hard to reach, either because they are busy or in another time zone with different business hours.
But how would a thief know an executive's personal schedule? Social media and email, Stalker said.
"Many executives announce speaking engagements or conferences on social media sites in a way that lets anyone view these posts on LinkedIn, Twitter, Facebook, and a number of other lesser-known sites," she said. Automatic out-of-office replies also contain details that fraudsters can use to make their emails appear more credible, Stalker said, such as which dates an executive will be out of the country.
Fear of being impersonated shouldn't outweigh the business advantages of using social media to announce speaking engagements, conference participation, or community events, she said. But employees should take care not to reveal information about their "authority level, ability to approve payments, and other possible hints about their job," Stalker said. "For executives who are traveling, automated email replies should only convey the essential part of the notification (the person is unavailable and provide a name of another contact person) without revealing unnecessary elements such as whether the executive is out of the country, or the name of the city/state the executive is currently in."
The best defense against fraud is awareness, training, and repetition, Zweighaft said. Circulating news reports of similar attacks on other companies will reinforce a skeptical mindset among employees, which is the first line of defense. Companies can increase the frequency of their cybersecurity training. They can also update their policies to require two employees to approve a wire request and verify the recipient's identity. Firms may also want to hire cybersecurity consultants to identify any weaknesses in their electronic communications and transfer processes.
If you suspect there has been a breach, it's important to take action quickly to minimize damage, Zweighaft said.
To deal with cases of executive impersonation "companies should be ready to quickly assemble a response team, including in-house counsel, the CIO and staff responsible for IT security, and outside consultants," he said. Organizations need to quickly launch an internal investigation so that management and the board of directors have all the relevant facts, and so that law enforcement, government investigators, and insurers can be apprised of the details of the incident.
Samiha Khanna is a freelance writer based in Durham, N.C. To comment on this article, email associate editor Courtney Vien.