# Opener

Financial Controls for Business Email Compromise Prevention

Published by Brendan Fitzpatrick

The US Treasury recently reported that Business Email Compromise (BEC) scams, sometimes referred to as “fake CEO scams, cost U.S. businesses an average of $300 million each month in 2018. These scams are on the rise; according to Trend Micro, the number of BEC attempts worldwide increased by ~28% between 2017 and 2018. We have found that many of our new customers are susceptible to at least one version of this scam, so we wanted to share our best practices and provide actionable steps to ensure that all organizations are aware of what they can do to minimize their exposure to this risk.

A Scam Targeting the Finance Department

In the common version of the scam, an employee in finance with wire transfer authority receives an email from a high-level executive (typically the CEO or CFO) asking for a significant amount of money to be wired to a specified bank account number. Unfortunately, the executive’s email account has been hacked, and the email has actually been sent by the scammer. The employee makes the transfer, and the money ends up in a fraudulent oversees account.

In one of the most well-known examples, a finance executive at toy maker Mattel received an email that appeared to be from the then new CEO, requesting a $3 million payment to a new vendor in China. The company’s protocol was that two high-ranking managers had to approve a request of that size, but since the finance executive and the CEO both qualified, the money was wired to the vendor’s (scammer’s) bank account in China. They realized what had happened hours later when the executive casually mentioned the payment to the CEO.

13 Financial Controls to Protect Your Business from Falling for Scams:

  • When an employee requests a funds transfer, the company always verifies the identity of the employee making the funds transfer request by calling a telephone number on record or emailing an address on file.
  • When an employee requests a funds transfer, the company requires at least two authorized signatures to approve such transfer, payment, or delivery of funds.
  • When a vendor requests a funds transfer, the company always confirms that the vendor is in fact owed the requested amount.
  • When a vendor requests a funds transfer, the company always verifies any change in the vendor’s bank account information by calling a telephone number on record or emailing an address on file.
  • When a vendor requests changes to its funds transfer instructions, the company always logs when the changes were confirmed with the vendor and who at the vendor confirmed the changes.
  • When a vendor requests a funds transfer, the company requires at least two authorized signatures to approve such transfer, payment, or delivery of funds.
  • There is a written process detailing how to complete a call back when a vendor requests a funds transfer (e.g., requiring that the wire instructions be conveyed orally, requiring verification of all wiring and account details, including the ABA number).
  • Financial controls, including the above described controls, are consistently deployed throughout all locations, including any non-US locations.
  • Any employees authorized to approve or execute funds transfer requests at the company shall not perform more than one of the following duties: requesting, initiating, recording, and reconciling.
  • The policies and procedures related to funds transfer requests are documented.
  • All employees that are authorized to approve or execute funds transfer requests are required to attest that they have read and understand the policies and procedures.
  • All employees have been made aware of, through training and awareness activities, the risks of fraudulently induced payment scams such as the fake CEO scam, “fake presidents,” business email compromise, fraudulent vendor invoices, and vendor payment diversion.
  • In the event that an unauthorized party initiates a funds transfer, requests a funds transfer, or makes or requests changes to funds-transfer instructions, the company’s employees know and understand how to escalate the situation appropriately.

CEO scams are extremely common and are becoming more advanced, which can cost companies hundreds of thousands to millions of dollars in damages. Many companies are susceptible to scams, which makes it easier to become a target and deal with the ramifications if proper security isn’t in place. It’s important to know the necessary steps to take to reduce the risk of a CEO focus scam with the right cybersecurity.

How to Prevent CEO Fraud

You can prevent CEO fraud with the help of Axio Global Inc. Their cyber risk management services can improve your security. Preventing CEO scams is possible with Axio Global Inc. by identifying all cyber risks that are currently present that you may not have considered. You can also estimate all-in costs exposure and obtain recommendations, which are all based on identified program gaps. Once you obtain this information, it’ll be easier to report the progress you’ve made to secure the data and communicate it to your business leaders.

Upgrading the technology that is used is the best defense to reduce the risk of CEO scams and avoid significant financial loss.

How to Identify CEO Fraud

You can quickly identify CEO fraud by checking for any emails that mention gift cards. Gift card scams are extremely common and are used to manipulate employees to surrender valuable information or data. 

Pretexting is also common and involves the hacker emailing an employee multiple times before a request is made. It’s also important to look for any emails that are sent from mobile devices.

Get started with an Axio360 demo today

Cyber risk is one of the greatest challenges of our generation. Despite the need, organizations struggle to get actionable visibility to their cyber risk. Protection technology has been the dominant focus thus far, but it’s not a silver bullet. Managing risk requires continuous evaluation across people, processes, financial controls, and technologies.

At Axio, we believe that every organization can have the means to solve their unique cyber risk challenges. We created the Axio360 platform to deliver on that belief. Our proprietary approach and insights give companies visibility to their cyber risk and enable them to prioritize investments to protect their business, customers, and employees.

Request an Axio360 demo, and see how our software can have an immediate and tangible impact on your business.