Image Alt

Utah Business


CFO Fraud – The Latest on the Cybercriminal Highway

The number of fraud and malicious actors on the cybercriminal highway continues to grow exponentially. New focus is being given to things like AI (artificial intelligence) to help fight new threats but so much of the carnage is a result of basic human error. Here is a summary of the most common security traps and the best solutions to thwart them.


Two common scenarios:


1. Imagine that your boss just left town on a business trip and, while he is traveling, you receive an urgent email requesting an existing invoice be paid immediately. The client and amount are legitimate. The reason to get it paid immediately is slightly abnormal, but the account is different than what is on file. You send an email verifying the payment, and promptly receive a reply stating it needs to be paid within the hour to make sure your company stays in good standing with the client.

2. What if your boss sent you an email asking you to go and purchase a few gift cards to give out to customers. His email asks you to quickly buy them and take pictures of the back of the cards and email the redemption numbers to your boss.

Would you pay the invoice or purchase the gift cards? Can you imagine working for two weeks (and in some situations for an entire month) only to see your salary get deposited into someone else’s bank account? There are thousands who already have!

These are examples of the most recent attack methods hackers are using to trick businesses into funding their criminal activities. In 2018, the information security department at Tanner LLC saw a dramatic uptick in these types of breaches. How can these breaches be prevented from occurring? Here are a few suggestions below.


Follow Company Policy

The first suggestion is to create an internal policy to verify transactions. The only way to completely mitigate this risk is to make sure every wire transfer is accompanied with a “verbal” approval. Getting the CEO on the phone or walking into their office before a wire transfer is sent is paramount. There is no way a criminal can circumvent verbal approval, at least not yet.


Create Complex Passwords

Second, make sure the CEO and CFO have complex passwords set up on their email accounts. It is shocking how often email accounts are attacked. I would even suggest forcing email accounts to require dual-factor authentication. This would require a username/password and a text message verification before account access is allowed. There are a number of cost-effective software solutions available to make it so users don’t have to receive a text message every time they want to access their email account.


Anti-Spoofing Email Rules

To help explain this, let’s draw a comparison to the United States Postal Service. When a letter is sent in the mail, the postal service does not verify the return address before sending the letter. Because of this, it is technically possible to send a letter and make it appear it came from the White House or use the same “sending” address as the return address, making it look like it came from the same place it was sent.
Similarly, it is very simple to send an email and make it look like it came from anyone in the world. This is called Email Spoofing and it happens more often than you might think. It is very simple for a person managing your email system to write a rule to block all incoming email that originated outside the domain to the same domain. In other words, it would block all email entering the system that has the same sending address as the return address. There isn’t a logical reason a person would want to receive an email from themselves that originated from another location.


Anti-forwarding Email Rules

In the same vein, when a hacker compromises an email account, the first thing they do is create a rule to automatically download and scan all the person’s email and receive a copy of all inbound/outbound email. That is why hackers can send well-crafted emails about a legitimate customer, with a realistic invoice amount. The only issue is they need you to wire the money to their account.

Like the Anti-Spoofing rule, the easiest way to prevent this from occurring is to set up an anti-forwarding rule. This would be like not allowing the postal service to open and make a photocopy of your mail and send the copy to another address.

Unfortunately, statistics tell us that most of the people reading this article have already either received an email from a compromised account, heard about a company being duped into paying a fraudulent wire transfer or been through this experience personally. Stay safe and travel carefully on our cyber highway.


John Pohlman is the Director of Information Security Services at Tanner LLC.