Imagine you’re a mid-level employee in your company’s finance division. It’s Friday afternoon, and you’re about to clock out for the day when you get an email from the CFO—your boss’s boss—instructing you to wire funds to an external bank account. Eager to get the job done quickly and impress the higher-ups, you immediately execute the wire and start your weekend. But the email wasn’t really from the CFO. And the account to which you wired money belongs to a crook. Just like that, the company has become the victim of financial fraud. Members of corporate finance teams, as well as financial advisers, mortgage escrow agents, and others—people whose job allows them to wire corporate funds—have all been targeted in similar scams. One public company lost a whopping $30 million to the scam, leading to the resignation of its CFO. How do fraudsters convince companies to willingly wire massive amounts of money?
They “spoof” an email address by buying up internet domains that, when eyeballed quickly by a harried employee, look just like the company’s or client’s legitimate domain—“exannple.com” for “example.com”—and by data mining publicly-available information to mimic email addresses of high-ranking company officials;
Or they hack into a client’s or senior official’s actualemail account and send the fraudulent wiring instructions from there;
They open sham bank accounts to receive the funds;
And—most importantly—they use social engineering to game the employees’ response: they count on the employees’ eagerness to please, their reluctance to question a boss’s or client’s wishes, and their desire to get out of the office on a Friday afternoon (when these emails usually come in).
Though it uses technology, this cybercrime is a low-tech as they come—the fraud isn’t new; email has just made it easier to fool the victim. So how can CEOs, CFOs, general counsel, compliance officers, audit committees, and others help their companies not fall for it?First, put in place smart controls and procedures, including telephone verification. Companies both big and small should consider policies that (at the very least) require telephone (not email) follow-up with the requestor before any wire transfer is made. For certain companies, it also might make sense to have the CFO or other senior official approve any wire transfer over a pre-determined amount. Some financial advisers are even establishing verbal-only code words with their clients, so when they verify by telephone, the financial adviser can be sure they’re talking to their client and not the crook. Second, train and educate. In addition to training employees on the company’s wire transfer controls and procedures, employees should be instructed to closely inspect incoming email messages for anomalies, such as transposed letters in the domain name. (This will also help the company protect itself from phishing attacks in spoofed emails.) Employee education is a key line of defense against cyber attacks. Third, keep an eye on internet domain registrations that look suspiciously like your company’s, and, if you find them, ask the registrar to take them down. Not only can such domains be used for this scam, but hackers can use them to harvest your employees’ login credentials, leading to network intrusions. Finally, if you think you might have fallen victim to this scam, call the lawyers. A full attorney-client privileged internal investigation, with the assistance of computer forensics experts if necessary, is the best and safest way for the company to quickly figure out what happened, and to institute remedial measures to help protect the company from it happening again. Lawyers will also help the company to focus on the important questions quickly, including whether and how to involve law enforcement, whether insurance coverage is available, what if any disclosure obligations the company has, and more. + + + Gus Coldebella is a litigation, investigations and cybersecurity principal at Fish & Richardson, and was the acting general counsel of the U.S. Department of Homeland Security.
Gus P. Coldebella, a member of the National Law Journal’s inaugural class of “Cybersecurity Trailblazers” in 2015, is a principal in the Commercial Litigation Group in Fish’s Boston and Washington, D.C. offices. His practice involves helping companies deal with all aspects of...