Hackers Get Better at Defrauding Employers Through Convincing Email Impersonation
February 27, 2020
The Wall Street Journal reported that employers are being defrauded of millions of dollars by computer hackers through accessing key employee email addresses and then making requests for the transfer of company money. In a recent high-profile fraud, the email of an owner of Dominos franchises in China was hacked and the hacker(s) then used the email address to request the executive assistant to request and authorize the transfer on money to an overseas account.
The way the hackers manage this is by using the executive’s internal company email address and sending an email to an internal employee with the apparent authority to make the transfer. Not only does the email come from the executive’s email account, but the hackers are sophisticated enough to make it “sound” like the person the email is from – no longer a poor imitation by a hacker who has poor English and grammar skills.
In the case detailed in the Wall Street Journal (WSJ) the hackers apparently knew from having access to emails that the executive was travelling internationally and may not become aware of what was happening. The executive’s assistant authorized and vouched for the transfer with the company’s bank not knowing any better. The money was sent and now the company’s bank is not taking responsibility for this transfer, because they state the employee’s representative, the assistant, allegedly had authorization to approve the transfer.
Employers will need to step up their game against such fraud attempts.
The WSJ report details how the executive assistant thought the email request had to be from the executive and that the bank where the company had a line of credit was more than happy to send the funds at the assistant’s direction. When the executive got back from his trip and found the money missing, the bank refused to address the situation as bank fraud. Needless to say, legal action has ensued.
This type of fraud is easier to perpetrate these days and the fraudsters are more sophisticated. The hackers are gaining access to company email by way of dropping malware into the company systems and then watching emails until an opportunity presents itself.
ASE has experienced this hack and fraud attempt itself, unfortunately.
Larger companies have IT departments and professionals to monitor their systems. Smaller employers may not have in-house computer professionals or even an outside provider to support their IT security. Dave Townsend, President at AWECOMM, advises companies to:
1. Have a written policy on IT use and security. Educate employees on the policy and phishing schemes.
2. Make sure passwords are in place and strong.
3. Employees are working from everywhere, not just the office. Warn employees to be careful using public Wi-Fi and proper security.
4. Have security software that flags external emails and identifies spam emails.
5. Have a strong policy and practice to authorize financial transactions.
6. Put email security in place – advanced threat protection & multi-factor authentication.
7. Offer security awareness training.
8. Conduct phishing tests – this tests personnel susceptibility toward responding to a phishing attempt.
Additional ASE Resources
New Class Coming Soon – ASE in conjunction with its IT services provider AWECOMM, is in the process of developing an IT security class for the non-IT professional that will teach basic computer security to non-IT professionals. Watch for this class later this year.