JASON RESNICK | WG VICE PRESIDENT AND GENERAL COUNSEL AGRICULTURE & THE LAW
Business Email Compromise Schemes on the Rise Don’t let your company be a victim
From: robert.hanigan@prodeuce.com To: jane.rigby@prodeuce.com Subject: Wire Transfer
attackers have spoofed Robert Hannigan’s email address (note the spelling of his name in the email is off by one letter) and assumed his identity. From Jane’s point of view, the email appears as real as the countless others she has received from her boss over the years, although the urgent request to wire such a large amount of money from Rob, she would later admit, was unusual. However, actual cases like this one happen every single day. The FBI has been tracking BEC crime since 2013, and has found that international crime groups have targeted companies of all sizes in every state in the United States and more than 100 countries, resulting in losses of more than $3 billion to U.S.-based victims alone. Sophisticated criminal enterprises employ hackers, social engineers, linguists and lawyers. They have become increasingly adept at the art of deceiving and exploiting unsuspecting victims to perpetrate these schemes. The attacks are often targeted and planned far in advance before sending the attack email. Oftentimes, they use malware to spy on the organization’s employees—learning the internal facets of the organization including the email and communication styles of executives, vendor payment processes, and billing systems. Using this information, they are able to credibly impersonate the executive and send a money-transfer request to the carefully targeted employee with access to company finances. They then attempt to deceive them into wiring funds to bank accounts thought to be trusted, but are actually offshore accounts controlled by the criminals. Phony Invoices The phony invoice scheme is not new. Criminals have long sent bogus invoices to companies knowing that some percentage of them will be paid without question. A more sophisticated BEC version of the fraud involves
Hey Jane, I’m traveling today. We are expanding operations in Mexico and things are moving rapidly. I need you to send a wire transfer ASAP. Wire instructions are below.
Thanks for jumping on this! Rob
Jane reviews the rest of the email from the company’s CEO and dutifully wires $365,000 in company funds to the account listed in the email. When he returns to the office the next day, Jane is pleased to report that the wire transfer was successful. Rob immediately looks puzzled and concerned. “What are you talking about, Jane?” “The email you sent yesterday? You asked me to transfer $365,000 to our vendor so we can expand our Mexico operations. Look, here’s the email.” Jane hands Rob a printed copy of the email. He reads it and turns pale. “Jane, I don’t understand. I didn’t send that email.” “Well if you didn’t send it, who did?” “I don’t know,” says Rob, “but there are two ‘n’s in Hannigan – and I think we’ve been taken for $365,000.” CEO Fraud The anecdote above is an example of “spear phishing,” a type of business email compromise (BEC) scheme in which criminals impersonate a high-level executive and attempt to trick employees into sending money to an overseas account they control. In the fictional example of CEO fraud above,
22 Western Grower & Shipper | www.wga.com JULY | AUGUST 2019
Made with FlippingBook - professional solution for displaying marketing and sales documents online