Don’t Fall Prey to This New Scam Targeting CFOs and Bookkeepers cybersecurity

April 20, 2020 - 9 minutes read

If you had to make a list of some of the most pressing issues facing business owners in the modern era, cybersecurity would undoubtedly be near the top.

But the major thing that many people don’t realize until it’s far too late is that the common image you think of when you hear the term “hacker” — that is, someone with years of extensive computer experience trying a myriad of different techniques to gain access to your systems and IT infrastructure without your knowledge — is rarely indicative of the actual cybercrimes taking place around the world on a daily basis.

One of the most common types of scams these days is also, sadly, among the most effective. In fact, it doesn’t technically involve any “hacking” at all — it merely puts the principles of social engineering to work in a way that you and your people must be aware of moving forward.

The State of CEO Fraud: Breaking Things Down

Take the case of Barbara Corcoran, for example — an entrepreneur and television personality that you may recognize best from the hit series Shark Tank. Recently, she was cheated out of nearly $400,000 in a phishing scam after scammers gave directions to her bookkeeper to forward funds directly to a company that claimed to be one she was doing business with.

The issue was that Corcoran’s bookkeeper assumed the received email was legitimate, as it was virtually identical to one used by Corcoran’s personal assistant with the exception of a single character that was easy to miss. What makes this incident particularly fascinating is that Corcoran said she believes the scammers in question had actually tried a similar trick about six months prior and, and when it didn’t work, they “came back for a second shot.”

Corcoran said that from her own perspective, the scam was “so simple and so well-executed” — to the point where she describes it as something of a “hit and run” situation. Everything from the first contact all the way up to the transferring of the funds was executed with just five emails. Corcoran gave a statement saying that she “felt sick to her stomach” once she realized what was going on, particularly because she assumed that she was never going to see a dime of that money ever again.

Now, this particular story does have a happy ending because Corcoran later confirmed to the people at USA Today that she did get her money back after her own bank put pressure on the German bank that was acting as an intermediary in the transaction. The German bank froze the money transfer, giving Corcoran and her team time to prove that fraud had taken place. But it’s also important to remember that this is the type of luxury an average small business may not have.

Indeed, it’s easier than ever these days for even an accomplished and experienced CEO to fall victim to this level of fraud. The modern-day cyberattack isn’t perpetrated by a hacker army sitting in a room somewhere surrounded by computers, just waiting to capitalize on any opportunity to gain access to your network. Most of the time, they don’t even need access at all — they just need to take advantage of someone who isn’t paying quite as much attention as they should be.

For another common attack scenario, consider the example of a CFO who receives an email request from the CEO of a company with directions to wire $150,000 into a specific bank account to help secure a new contract. If that CFO isn’t looking at things as carefully as they should be, it would be easy to miss the fact that the CEO’s email was spoofed. The FBI calls this type of scam “Business Email Compromise,” and according to their own internal studies, it’s now one that generates about $26 billion for hackers every single year. Not only that, but there was a 100% increase in global losses between May of 2018 and July of 2019. To make matters worse, this type of scam has been reported in not only all 50 states, but in 150 countries around the world, too.

Combating CEO Fraud: Tips and Best Practices

One of the most important things to take away from all of this is that in the vast majority of all situations, it wasn’t lax cybersecurity that allowed these types of attacks to take place. It had nothing to do with antivirus software that was out-of-date or reactive network scanning technology. Nearly every one of these incidents that you read about were made possible for the same simple reason:

Poor processes.

Therefore, the solution to these issues is equally straightforward: Improve your processes, and you’ll improve your cybersecurity as well.

The targets of these attacks tend to be employees that report directly to company leadership – meaning CFOs, bookkeepers and other people playing critical roles in the operation of a business on a daily basis. There tends to be an interesting power dynamic at play here, where the employees don’t actually take the necessary steps to verify such a request because they don’t want to be seen as “questioning authority.”

Which, of course, is possibly the number one factor that you need to correct sooner rather than later.

The FBI has provided several different tips that people can use to prevent this type of financial fraud, including but not limited to things like:

  • Training your employees to ALWAYS verify email communication or requests of this nature over a different channel. If a request for a large wire transfer looks suspicious, those employees need to pick up the phone and make sure it’s legitimate or — better yet — come directly into your office and do so in person.
  • You should also be using a second form of verification for wire fund transfers. People won’t fall victim to a spoof email business scam if they know it’s your policy to never make such requests over email in the first place.
  • Likewise, you should flag ALL emails with extensions similar to company email domain names. This will help weed out those fraudulent emails, making it easier (and quicker) to identify them.
  • Finally, all email communications should be flagged when the reply email address is different from the email address being shown in your mail client.

In the end, it’s important to understand that these types of attacks aren’t going anywhere anytime soon. If anything, they’re only going to get more popular as time goes on because they’re so easy and so effective.

If you DO end up falling prey to this type of attack, the United States Chamber of Commerce recommends contacting both banks involved in the transfer to let them know what is going on. Likewise, you should immediately contact your local FBI or Secret Service field offices to bring them in, too. The Chamber of Commerce says that if you’re able to act within one or two days, it significantly improves your chances of recovering the stolen money, meaning that time is very much of the essence and this is one situation where you can’t afford to just sit back and “wait to see how everything plays out.”