When thinking about cyber and fraud attacks, people tend to picture a malicious software or bug clinging to company files and acquiring all of the company’s information. However, fraud and cyber attacks have become easier. So easy that now your boss can be the one to trigger an attack. This happens through a cyberattack called “Executive Impersonation.”
Executive Impersonation is an attack trend, part of a set of attacks labeled Business Email Compromise (BEC). According to the Federal Bureau of Investigation, BEC attacks have been reported in all 50 states and in 100 countries, costing companies to lose $3.1 billion globally.
BEC is a cyber scam that targets companies who host money internationally or who work with foreign suppliers and businesses regularly.
Specifically, Executive Impersonation is where thieves use the internet, social media and out-of-office email responses to trick executives into wiring money to a foreign bank account.
Criminals obtain vital information such as: travel dates, email addresses and names of employees responsible for the company’s finances by snooping on LinkedIn, monitoring status updates on Facebook and by posing as recruiters to gain access to directories.
Fraudsters then confirm that the actual executive is gone by tracking out-of-office replies. After confirming, the attacker sends an email asking the employee, who oversees finances, to wire funds to a foreign location to assist with an “urgent, high-stakes deal.”
Messages appear authentic and are untraceable, as they come from one-time-use email accounts that are almost identical to the company’s email accounts. For example, if an actual address is CEO@vidcom.com, the fake address might be CEO@vidicom.com
Due to Executive Impersonation’s pervasiveness, the American Institute of CPAs published preventative steps in their September 2016 fraud report. The report presents studies of companies who have suffered from this type of attack and offers steps to recognize and avoid it.
Your company can help to prevent an executive impersonation attack with proper internal control procedures such as:
- Requesting dual authorization and verification by having two executives and/or a financial partner in place to review and approve requests.
- Providing regular staff training and announcements to keep staff aware of current threats and attacks.
- Choosing the right financial partner to advise your company on best practices, identify fraud activity and educate your company on current threats.
Don’t let weak internal controls expose your business to losses, fraud and material errors. Contact a specialist at Conexus CPA Group to learn how we can design, assess, implement and strengthen your internal controls to protect your company.