Part VI: CEO Fraud ~ Board Oversight and Fiduciary Duty

Virus and malware defense has long been viewed as a purely IT problem. Even though some organizations appoint Chief  Information Security Officers (CISO), the fact remains that information security is often viewed as a challenge that lies well below board or C-level attention.

However, the events of recent years have highlighted the  danger of this viewpoint. With the FBI warning corporations  that they are at risk and so many high-profile victims in the  news, organizations, led by their CEO, must integrate cyber risk  management into day-to-day operations. Additionally, companies must take reasonable measures to  prevent cyber-incidents and mitigate the impact of inevitable breaches.

The concept of acting “reasonably” is used in many state and  federal laws in the United States, Australia, and other  countries. Blaming something on IT or a member of staff is no defense. CEOs are responsible to restore normal operations after a data breach and ensure that company assets and the company’s reputation are protected. Failure to do so can open the door to legal action.

Let’s put it in these terms. A cyber breach could potentially cause the loss of a bid on a large contract, could compromise intellectual property (IP) and loss of revenue, to name just a few of the repercussions. That places cybersecurity firmly at the top of the organizational chart, similar to all other forms of corporate risk.

No matter the size of the company the involvement of the CEO and communication with their staff is critical in the leadership, lively hood and company success.

Next post find out ~ Technology vs. The Human Firewall..Think Before You Click!

Tina Louise ~ ~ 888.871.6584

Part V:CEO Fraud – Risk or Reputation – Who Is a Target?

The label of this category of cybercrime may be CEO fraud. But that doesn’t mean the CEO is the only one in  the criminal’s crosshairs. In addition, the HR team, IT manager, C-level and other senior executives and anyone with finance approval is likely to be on the receiving end of one of these attacks.

Finance: The finance department is especially vulnerable in companies that regularly engage in large wire  transfers. All too often, sloppy internal policies only demand an email from the CEO or other senior person to  initiate the transfer.

Cybercriminals usually gain entry via phishing, spend a few months doing recon and
formulate a plan. They mirror the usual wire transfer authorization protocols, hijack a relevant email account  and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorized to transfer funds.

HR: Human Resources represents a wonderfully open highway into the modern enterprise. After all, it has  access to every person in the organization, manages the employee database and is in charge of recruitment.  As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals  need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering  activities. In addition, W2 and PII scams have become more commonplace. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email  addresses to criminal organizations.

Executive Team: every member of the executive team can be  considered a high-value target. Many possess some kind of  financial authority. If their email accounts are hacked, it generally provides cybercriminals access to all kinds of  confidential information, not to mention intelligence on the type of deals that may be ongoing. Thus executive accounts  must receive particular attention from a security perspective.

IT: The IT manager and IT personnel with authority over access controls, password management and email accounts are  further high-value targets. If their credentials can be hacked, they gain entry to every part of the organization.

No matter the size of the company the involvement of the CEO and communication with their staff is critical in the leadership, lively hood and company success.

Next post find out ~ Board Oversight and Fiduciary Duty ~ Think Before You Click!

Tina Louise ~ ~ 888.871.6584

Part IV:CEO Fraud Who’s At Risk

Welcome back ~ Last month we took a look at social engineering and techniques, lets now open up to who is at risk. Such attacks are anything but rare. In fact, they are so successful that billions are being plundered out of corporate accounts. Here are some CEO examples in the last couple years cyber attacks:

The City of EL PASO, Texas 2016: El Paso lost $3.1 million intended for a streetcar project to a person pretending to be a legitimate vendor. The city made two payments before discovering the scam. The city recovered half of the money.

SS&C Technologies Holdings 2016: A lawsuit by Tillage Commodities Fund alleges that financial services software firm SS&C fell for an email scam that led to Chinese hackers stealing $5.9 million. Staffers inadvertently aided the criminals by helping them fix the transfer orders so the money could be transferred. The scam emails added an extra “L” to Tillage as in Tilllage and contained unusual syntax and grammatical errors. The lawsuit seeks $10 million in damages, plus punitive damages and legal fees. A spoofed email, claiming to come from the CEO, requested that accounting transfer money to a foreign account for a fake acquisition. Although the company recovered some of the funds, the CEO lost his job.

Leoni AG 2016: This cable manufacturer lost $44 million to a CEO fraud attack using emails crafted to appear like legitimate payment requests from the head office in Germany, asking for the money to be sent from a subsidiary in Romania. The CFO of the Romanian operation was the victim of the scam. She was taken in by the realistic looking emails and by the fact that the scammers had extensive knowledge about the internal
procedures for approving and processing transfers at Leoni. This indicates that they had penetrated the network earlier, probably through phishing emails and had been snooping for months.

Mattel 2016: The toy manufacturer Mattel transferred $3 million to an account in China after receiving a spoofed email supposedly from the CEO. Fortunately, the finance executive who transferred the money bumped into her boss a short time later and mentioned the deal. As little time had elapsed, the bank in China still had the funds and returned them to Mattel.

Pomeroy Investment Corp 2016: Not so lucky was this firm in Troy, Michigan after it transferred almost $500,000 to a Hong Kong bank. This followed the email account of a company executive being hacked. The error was noticed eight days after it took place, and the money was long gone.

No matter the size of the company the involvement of the CEO and communication with their staff is critical in the leadership, lively hood and company success.

Next post find out ~ Risk or Reputation – Who Is a Target?.. Think Before You Click!

Tina Louise ~ ~ 888.871.6584







Part III: CEO Fraud ~ Social Engineering

Social Engineering: All of these techniques fall under the broader category of social engineering. This innocuous sounding label originally meant the application of sociological principles to specific social problems.

But within a security context, it has come to signify the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel.

This can include their contact information, connections, friends, ongoing business deals and more. Unfortunately, these scams have a high rate of success. The Verizon 2016 Data Breach Investigations Report revealed a shocking 30% of recipients open phishing messages and 12% click on attachments.

Many of these breaches happen within two minutes of receipt. That means IT has little chance of catching this malicious traffic before it hits inboxes. While phishing emails may not directly lead to CEO fraud, they are the top avenue of entry for malware and
spyware into the enterprise.

Once inside, cybercriminals can bide their time casing out the financial
connections and interactions within the company. They eventually learn enough to spring a convincing BEC attack, usually posing as a company executive or accounts personnel. They can sit unobserved for months while they study the key individuals and protocols necessary to perform wire transfers within that business environment.

The FBI identifies five main scenarios by which this scam is perpetrated:
Business working with a foreign supplier: This scam takes advantage of a long-standing wire-transfer relationship with a supplier, but asks for the funds to be sent to a different account.
Business receiving or initiating a wire transfer request: By compromising the email accounts of top executives, another employee receives a message to transfer funds somewhere, or a financial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address.
Business contacts receiving fraudulent correspondence: By taking over an employee’s email account and sending invoices out to company suppliers, money is transferred to bogus accounts.
Executive and attorney impersonation: The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters.
Data theft: Fraudulent e-mails request either all wage or tax statement (W-2) forms or a company list of personally identifiable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, accounts or auditing departments.

Next post find out who is at risk and while your waiting with bated breath remember.. Think Before You Click!

Tina Louise ~ ~ 888.871.6584


Part II: What Is Known About CEO Fraud

The methods in which these attacks are initiated can be any of the following or in combination:

Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive  information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card  providers, delivery firms, law enforcement, and the IRS are a few of the common ones. A phishing campaign  typically shoots out emails to huge numbers of users. Most of them are to people who don’t use that bank, for  example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.

Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the  group or has gleaned data from social media sites to con users. The email generally goes to one person or a  small group of people who use that bank or service. Some form of personalization is included – perhaps the  person’s name, or the name of a client.

Executive “Whaling”: Here, the bad guys target top executives and administrators, typically to siphon off  money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and  the business are the hallmarks of this type of fraud.

In our next blog we will cover Social Engineering  and how the above techniques fall under the broader category of social engineering.

We are excited to launch our new website we have a new look and hope you enjoy it and possibly share it with your fiends and partners.

Remember…Think Before You Click!

Tina Louise ~  888.871.6584



Part I: Understanding CEO Fraud

What is CEO Fraud?   The FBI calls it Business Email Compromise and defines BEC as “a sophisticated scam targeting businesses  working with foreign suppliers and/or businesses that regularly perform wire transfer payments.

The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

CEO fraud is another name for this scam and it usually involves tricking someone into making a large wire transfer into what turns out to be a bogus account. On a few occasions, however, checks are used instead of wire transfers. According to resent FBI reports in the last year estimate losses have hit 2.3 billion dollars.

Most victims are in the US (all 50 states), but companies in 100 other countries have also reported incidents. While the fraudulent transfers have been sent to 79 countries, most end up in China and Hong Kong. Unless the fraud is spotted within 24 hours, the chances of recovery are small.

That’s why only 4% of the funds are ever retrieved. Certainly, large enterprises are a lucrative target. But small businesses are just as likely to be the mark. Other than being a business that engages in wire transfers, there is no discernible pattern in terms of a focus on a particular sector or type of business. The bad guys don’t discriminate!

Next week the methods of how CEO attacks are initiated ~ Think Before You Click!

Tina Louise ~ ~ 888.871.6584

Pay Attention CEO Your A Target!

Over the next several weeks I am going to dedicate my posts to all C-level executives and the importance of keeping your eye on the ball and that ball is your company and financial future.

This CEO Fraud Prevention posts will provide a thorough overview of how to deal with this exponentially growing wave of cybercrime. I will explain how top executives in Finance are hoodwinked, how companies are compromised, how millions are siphoned off by criminals, and fiduciary responsibilities. I will cover how to prevent such an attack as well as what to do if you become the latest victim. This includes checklists of the key steps.

What is CEO Fraud?  It’s ruined the careers of many executives and loyal employees. Successful CEOs have been fired because of it.  Stock prices have collapsed. IPOs and mergers have been taken off the table. Known as CEO fraud or the Business Email Compromise (BEC), the FBI reports that it this type of cybercrime has victimized more than 22,000 organizations worldwide and is responsible for losses of more than $3 billion.

Despite these statistics, cyber-risk management remains a blind spot for most C-level executives. Yet any company, led by its CEO, must quickly learn to integrate these skills and technologies into day-to-day operations or face the consequences.  I am a firm believer of “Knowledge Is Power”, you grew your companies, with late nights and hard work so do not allow the bad guys to steal your brand and reputation.


Next week I will dive in with the topic of “Understanding CEO Fraud”, till then………………………….

Think Before You Click!

Tina Louise Penn    888.413.9186