There is a fraudulent scheme so insidious and pervasive, it could – collectively – bilk billions of dollars from companies. Executive impersonation fraud is serious enough that the FBI is launching a public awareness campaign in an effort to fight it.
It works like this: criminals (working online, often overseas) impersonate company executives through electronic communication channels, make contact with the company’s employees (often accounting personnel), and authorize large financial transfers or payments. They can spoof an executive’s email address, or hack into their account, thus making it appear that the payment request is legitimate.
According to a Reuters article (posted on CNBC), there has been a sharp increase in attempts to perpetrate this fraud. The article notes:
U.S. and foreign victims reported 22,143 cases involving business email compromise cases in which cyber criminals sent requests for some $3.1 billion in fraudulent transfers from October 2013 through last month, according to the FBI. That represents a significant increase from the agency's previous tally, which put attempted losses at $2.3 billion through February of this year.
If those numbers aren’t sobering enough, there’s more:
The FBI said it has seen a 1,300 percent increase in identified exposed losses since January 2015.
The size of the losses vary widely from case to case, from about $10,000 to tens of millions of dollars, according to Thompson.
Austrian aircraft parts FACC said in January that it lost about 50 million euros ($55 million) through such a scam.
So what can companies, their executives and accounting personnel do to be on guard from this threat? First, just be aware of it. Knowing that this scheme is becoming more and more common means that ANY large transfer request sent by email should be verified as legitimate.
At least one financial institution, M&T Bank, even has a handy primer on how to address the issue: “3 Ways to Help Prevent Executive Impersonation” (PDF). In a nutshell, here are their three tips for companies to be protected:
I. DUAL AUTHORIZATION/VERIFICATION: “… companies should always require dual authorization and separation of duties to mitigate outside risk from penetrating the organization. In addition, any emails requesting the creation or change of wire payment instructions should be verified by phone.”
2. EDUCATION: “… educating employees against these socially-engineered schemes is one of the best ways to defend against this new form of fraud … Keeping all of your employees educated on the most current fraud trends is key to possibly preventing fraud before it occurs or recognizing it quickly to reduce an organization’s potential for loss.”
3. CHOOSE THE RIGHT FINANCIAL PARTNER: Work with a bank that will …
• Keep you inform on relevant fraud industry data
• Provide help on identifying fraudulent activities early to reduce organization losses
• Advise you on fraud prevention best practices, such as using a stand-alone PC for banking or having internet service administrators perform user reviews on a quarterly basis to help improve internal controls and security. These reviews should include looking at your organization’s user roster, removing anyone that no longer requires access and updating active user’s contact information, especially e-mail addresses.
• Offer necessary fraud protection products and procedures, such as the dual authorization and the separation of duties, to reduce your risk of becoming a fraud victim.
• Help you to reconcile account activity daily
• Encourage out of channel verification of any payment
It’s good that steps are being taken to curb executive impersonation fraud. Given the amount of money at stake, it is crucial that companies take these tips – and the serious nature of the scheme – to heart.