CFOs & Financial Employees Become Good Scam Targets

Experts reveal scammers are focusing efforts on employees with access to company finances or payroll data.

Financial executives targeted by scammers.

CFOs and financial employees are the most at risk of being targeted in business email compromise schemes according to the latest global research report from Campbell-Calif. based Barracuda Networks.

In its study, based on an analysis of 3,000 BEC attacks, Barracuda, a provider of cloud-enabled security and data protection solutions, revealed more than 33% of the primary targets of BEC attacks are CFOs and financial employees; and over 46% of attacks seek to initiate a wire transfer.

The report warned criminals use BEC attacks to obtain access to a business email account and imitate the owner’s identity to defraud the company and its employees, customers or partners. “In most cases, scammers focus efforts on employees with access to company finances or payroll data and other personally identifiable information.”

The BEC attacks are serious enough that in June federal authorities—including the Department of Justice and the FBI—announced a major coordinated law enforcement effort to disrupt international BEC schemes designed to intercept and hijack wire transfers from businesses and individuals.

Operation WireWire—which also included the Departments of Homeland Security and the Department, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.

In the latest Barracuda threat spotlight results showed the most common BEC scheme in the sampled attacks try to deceive the recipient to do a wire transfer to a bank account owned by the attacker, while about 0.8% of the attacks ask the recipient to send the attacker personal identifiable information, typically in the form of W-2 forms containing social security numbers.

About 40% of attacks ask the recipient to click a link. Twelve percent of attacks try to establish rapport with the target by starting a conversation with the recipient (e.g., the attacker asks the recipient whether they are available for an urgent task). For the “rapport” emails, in most cases, after the initial email response the attacker will ask to do a wire transfer.

“An important observation is that about 60% of BEC attacks do not involve a link: the attack is simply a plain text email intended to fool the recipient to commit a wire transfer or send sensitive information,” the research reported. These plain text emails are especially difficult for existing email security systems, because they are often sent from legitimate email accounts, tailored to each recipient, and do not contain any suspicious links.

Barracuda also sampled attacks from 50 random companies and classified the roles of the recipient of the attack, as well as the impersonated sender. About 43% of the impersonated senders were disguised as the CEO or founder. The attacks’ targets are spread much more equally across different roles.

“However, even for impersonated senders, the majority (about 57%) are not the CEO,” the research revealed. Almost half of the impersonated roles and more than half of targets are not of sensitive positions, such as executives, finance or human resources. “Therefore, simply protecting employees in sensitive departments in not sufficient to protect against BEC.”

Barracuda suggested the best defense against BEC is to train users so they are aware of the threats and techniques used by criminals. At a minimum, computer users should be aware of the following:

Recommended Stories