Make sure you pay the CEO

Traditional payment fraud has been rife for some time, where the cybercriminal impersonates the CEO, or other senior member of staff, to convince the finance department to make an urgent payment to either a new supplier or update their bank details.

The change of bank details fraud uses fake banking confirmation letters and the trust of finance people to update an existing supplier’s details. The growing number of successful attacks have proven to be very costly to businesses of all sizes.

Owing to this, many businesses have now implemented stronger verification processes to verify supplier bank details changes, which means that the criminals have had to change their approach and tactics.

Introducing the new version

Over the past month, there has been an increase in an evolved method in change in bank details or payment fraud. This trend involves an internal change of bank details, mostly for the CEO.

The cybercriminal impersonates the CEO by using an external email address, claiming that it is their private email address, and requests that their bank details for payroll are updated. All of these emails use similar wording and it is usually done a week before payroll, to stress the urgency.

Some of these fraud attempts are even done on official company paperwork, showing a likely insider threat from a malicious or disgruntled employee.

To make sure that they pay their CEO, many of these changes have been successful. The finance or HR team update the details and the cybercriminal is paid, after which they rapidly get the money out before anybody notices.

This sort of attack can be successful owing to the modern workplace, hybrid working models
and because very few people know about this risk or have implemented a program to
identify it.

With organisations bolstering their external banking detail change processes, along with extra vigilance, the cyber criminals have moved to weaker processes or are taking advantage of insider knowledge.

No processes in place

Many businesses that we deal with do not have a formal process for employees to change their bank details, with some only requiring an email to be sent. This means there is no verification on these change requests, resulting in severe losses.

In order to stop this from happening, here are some simple pointers to be incorporated into your processes:

  1. Review and strengthen internal change of bank details processes. This should include secondary validation of the request in the same way external parties are treated.
  2. Ensure your cyber resilience program includes awareness training for those involved in finance or HR matters as there is as much risk of financial losses and embarrassment from internal risks as there is from external sources.
  3. When receiving such a request, make sure you are speaking to the correct person on the other side of the email. Verify changes only from contact details that are already on the system; do not rely on something purely in the email.
  4. Implement impersonation protection at the gateway. Your external secure email gateway should do this for you. Adding in specific additional checks for those VIPs who have greater access must be in place.
  5. Look at bolstering your resilience capability to identify insider risk and detect changes in behaviour or the suspicious sharing or movement of official documentation.

A comprehensive cyber resilience program provides layered, in-depth protections and can remove these risks before your people even see them. Prevention is most definitely more cost effective than remediation. Cyber resilience provides visibility and visibility provides the capability to respond.