I swear, my Boss asked me to transfer $20K to someone…it wasn’t my Fault!

Lydia who is a Personal secretary to the CEO of a Small Size Organisation, ABC Corporation Ltd, received an email from her Boss to transfer $20K to an account number mentioned in the email. She realised that the payment request via email along with the beneficiary details were little bit suspicious. However since her Boss was away on a business trip and moreover the email address was that of her bosses, she resisted in cross verifying with anyone in the office and went ahead with it.

In a couple of days time, she was under the scanner from the Cyber Fraud Investigation (CFI) team asking her all sorts of questions about the transaction she made the other day.

Lydia was very tensed as her job was on the line. The CFI team uncovered that the Email sent to her was spoofed i.e., although the sender’s email address was that of the CEO but it was sent by someone else.

How did this happen?

• Lack of Security awareness – Lydia, was vulnerable to such type of attack due to lack of Security awareness. The transaction amount ($20K) was relatively smaller as compared to ABC Ltd’s other normal transactions which were normally in excess of $100K. However, Lydia should have ideally enquired with her Boss or a colleague before transferring the amount.
• Modus of Operandi by the Fraudsters – The Fraudsters managed to perform Email spoofing i.e., specifically  SpearPhishing where the fraudsters faked that the email arrived from the CEO’s email address (by tampering with the email headers) and then targeting the CEO’s Secretary as the weakest link. They performed all the reconnaissance and collected the required information about the Company, its CEO and the Secretary and then planned the attack in the CEO’s absence. The bad guys were so smart that they operated below the normal transaction threshold for committing the crime.

What needs to be done?

This Type of Fraud is also known as the CEO Fraud, below are some countermeasures,

• Sufficient Controls around Identifying email spoofing – ABC Ltd’s IT team needs to step up and put controls around detecting Spoofed emails i.e., Sender Policy Framework (SPF) check, anti-malware software etc.
• Security Awareness training i.e.,Email Policy update – ABC Ltd. need to train its employees for not sharing sensitive financial data via emails. If they find anything suspicious, then they need to report it immediately to their respective line managers and CFI teams.