Corporate Phishing Emails by your Own CEO or CFO
Phishing emails constitute a serious threat to the financial stability of a firm. Traditionally, a phishing email involves an unknown sender that requests a recipient to access a web link, which then aks the user to enter certain account data (username, password, …) which then enable the sender of the email to break into the recipient's information system and gain access to confidential information or to perform transactions.
NEW: CORPORATE EMAIL PHISHING
In recent times, criminals have raised their game to introduce a more devious form of phishing email to extort considerable sums of money from unsuspecting finance officers. The practice consists of posing requests as a senior executive within the firm such as the CEO or CFO with similar looking email domain names and request the recipient to urgently transfer a (large) sum of money for fake purposes, such as the acquisition of assets or a company related expense. In the United Kingdom, estimates suggest that £7.6 million were stolen from companies in this manner or related means. In France, around 15,000 companies suffered a similar fate, accounting for €465 million worth of losses since 2010, while in the United States around $740 million were extorted.
COUNTER MEASURES AGAINST CORPORATE EMAIL PHISHING
According to Katie Morley, to avoid such disastrous outcomes, finance departments must carry out robust due diligence featuring the following practices:
- VERIFY personally or via phone whether the sender genuinely requests a particular transfer.
- SET UP an authorization channel, gathering several checks and sign-offs prior to payment submissions.
- TREAT any unexpected or sudden mail with great caution.
- CREATE robust passwords and avoid using the same ones for various logins.
- CHECK for any change in language or style from the sender.
Marie Keyworth & Matthew Wall, "The Bogus Boss' Email Scam Costing Firms Millions", BBC, 8 January 2016
Katie Morley, "Latest Scam - Fraudsters Claiming to be your Boss", The Telegraph, 20 October 2015