We received a phone call from a company asking to meet with us about a new fraud issue they were experiencing. In that meeting we discovered that the company had fallen victim to an email spoofing scheme that cost them hundreds of thousands of dollars. We have since received similar calls from other victim organizations.
Here’s the Story…
The company regularly conducts business around the world, which involves a significant amount of international dealings, including frequent wire transfers. When the Director of Finance received an email originating from the CEO himself containing wiring instructions, including the routing and account numbers, he followed the instructions exactly. The problem is the email only appeared to come from the CEO. Over a series of several similar emails authorizing other electronic funds transfers, the Director of Finance wired several hundred thousand dollars to various locations contained within the emails. Shortly thereafter, the company learned that the emails were entirely fraudulent. The CEO had not sent the emails, and there was no legitimate business purpose for the wires.
After working with counsel, the company’s bank, and foreign law enforcement agencies, the company was only able to recover a fraction of the total transfers. In this case the CEO’s emails has been “spoofed.” There are a number of concerns to be addressed with spoofing cases like this one. Initially, the biggest concern is to recover the funds. But a potentially greater concern is how was the system breached, which allowed the spoofed emails to be created and sent in the first place?
How Can you protect yourself and your organization?
Here are a few measures to consider to help minimize the risk within your organization:
- Dual Signatures/Authorization – Implement a practice that requires two separate individuals to approve and process electronic transactions. Require one individual to set up payments, and require a second individual to review, approve and process the transactions.
- Limiting Transaction Amounts – Consider establishing dollar thresholds, where transactions exceeding the threshold require additional scrutiny.
- Network Security – Be sure to remain current on all network security programs and software systems. Implement and enforce system-wide updates regularly, including password changes for all users on all systems.
- Digital Forensic Consultants – Develop a relationship with a technology firm that specializes in protecting systems from attacks, such as viruses, phishing and spoofing. Require regular updates from the firm to keep you updated on the latest schemes and
Additional information available in the January/February 2016 Issue of Fraud Magazine