AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
In February of 2016, Fischer Advanced Composite Components (FACC), an Austrian aerospace parts maker servicing customers such as Airbus and Boing, fired its CEO of 17 years. The driving factor in the dismissal was the company’s reported income loss of 23.4 million euros during the encompassing fiscal year. As a comparison, the company had reported a loss of 4.5 million euros the year prior. The primary culprit for the spiked financial losses were not attributed to reduced revenues, profit margins or poor management. The overriding factor in the disappointing earnings was primarily due to a cyber-fraud that cost it 42 million euros ($47 million) in a phishing scam known as Business Email Compromise (BEC) or CEO fraud. One single email, brought down a CEO as well as the profitability of a major company.
BEC attacks are composed of three components:
- The fraudulent delivery of an email by a high level company officer by either spoofing the email address or accessing it altogether
- An employee who is delegated the task of sending large wire transfers
- An overly busy or turbulent time in which a sense of urgency can be taken advantage of
Though the details of the attack were not disclosed, these types of attacks usually involve some type of company merger, large invoice or legal matter that demands a wire transfer of funds. In this case, a transfer of 50 million euros was initiated by the fraudulent request of the CEO and carried out by a financial employee. Although nearly 10 million was recouped, the loss proved devastating. Finances, public image, credibility and jobs were lost as a result.
These types of attacks can be easily thwarted by a multi-communication policy concerning large wire transfers. More and more IT departments for instance are requiring multi-factor authentication for company email and remote access, such as a username/password complimented by a text message PIN, security question, security token or fingerprint. In the case of large wire transfers, the CEO should have to confirm the wire request with a phone call from a specific phone number. As an added measure, the CEO would have to verbally state a rotating password. This is the same concept that the military uses to confirm striking orders on a submarine or missile base for instance. These measures may not be convenient, but they can save a company from embarrassing devastation. Similarly, any changes made to a vendor’s profile or payment location should be verified by a secondary sign-off by multiple company personnel.
Another step that every company should implement is a regular training program for all employee positions in the financial department. Employees could be trained to examine and confirm the “From” name and address as the real name and address of the CEO or whichever account is requesting the transfer. In addition, the “Reply-to” name should be confirmed too. Employees could also be trained to forward the request in order to respond to it rather than simply replying to it. This way, the employee would have to manually insert the CEO’s address from the contact list within the email application.
Cybercriminals often impersonate emails by utilizing typo squatting in which they purchase multiple domain names that resemble a targeted domain. The forged domain differs by two characters at the most. Typo squatting is utilized in other types of attacks too. The most popular being the forging of a bank’s online website in order to fool customers to provide their logon credential to their accounts. For these reasons, every company needs to research its domain name for possible typo squatting attacks. This is easily done on the Internet as there are a number of websites in which one can type in a domain name and be shown a list of all possible names that include one or two letter divergent combinations. The designated list will also show which names are currently available and which have been purchased. Many companies such as Google simply purchase all available options as domain names can be obtained for a nominal price. Companies can also research who has purchased those names if possible. At the least, these similar domain names should be black listed in order to block all email access to and from them. Employees should also be trained to keep an eye for these domain names as well.
And finally, don’t be afraid to do phishing tests throughout the year. More and more companies are doing this for both educational purposes and to identify employees that are not practicing mandatory protocol. Though it may seem trivial, conducting semi regular tests such as this can be a very inexpensive insurance policy that can save a company from multi-million dollar losses in the future.