Subscribe

Make sure you pay the CEO

By cyber security expert and J2 CEO John Mc Loughlin

Johannesburg, 19 May 2022
John Mc Loughlin.
John Mc Loughlin.

Traditional payment fraud has been rife for some time, where the cyber criminal impersonates the CEO, or other senior member of staff, to convince the finance department to make an urgent payment to either a new supplier or update their bank details.

The change of bank details fraud uses fake banking confirmation letters and the trust of finance people to update an existing supplier’s details. The growing number of successful attacks have proven to be very costly to businesses of all sizes.

Owing to this, many businesses have now implemented stronger verification processes to verify supplier bank details changes, which means the criminals have had to change their approach and tactics.

Introducing the new version

Over the past month, there has been an increase in an evolved method in change in bank details or payment fraud. This trend involves an internal change of bank details, mostly for the CEO.

The cyber criminal impersonates the CEO by using an external e-mail address, claiming that it is their private e-mail address, and requests that their bank details for payroll are updated. All of these e-mails use similar wording and it is usually done a week before payroll, to stress the urgency.

Some of these fraud attempts are even done on official company paperwork, showing a likely insider threat from a malicious or disgruntled employee.

To make sure they pay their CEO, many of these changes have been successful. The finance or HR team update the details and the cyber criminal is paid, after which they rapidly get the money out before anybody notices.

This sort of attack can be successful owing to the modern workplace, hybrid working models and because very few people know about this risk or have implemented a programme to identify it.

With organisations bolstering their external banking detail change processes, along with extra vigilance, the cyber criminals have moved to weaker processes or are taking advantage of insider knowledge.

No processes in place

Many businesses that we deal with do not have a formal process for employees to change their bank details, with some only requiring an e-mail to be sent. This means there is no verification on these change requests, resulting in severe losses.

In order to stop this from happening, here are some simple pointers to be incorporated into your processes:

  1. Review and strengthen internal change of bank details processes. This should include secondary validation of the request in the same way external parties are treated.
  2. Ensure your cyber resilience programme includes awareness training for those involved in finance or HR matters as there is as much risk of financial losses and embarrassment from internal risks as there is from external sources.
  3. When receiving such a request, make sure you are speaking to the correct person on the other side of the e-mail. Verify changes only from contact details that are already on the system; do not rely on something purely in the e-mail.
  4. Implement impersonation protection at the gateway. Your external secure e-mail gateway should do this for you. Adding in specific additional checks for those VIPs who have greater access must be in place.
  5. Look at bolstering your resilience capability to identify insider risk and detect changes in behaviour or the suspicious sharing or movement of official documentation.

A comprehensive cyber resilience programme provides layered, in-depth protections and can remove these risks before your people even see them. Prevention is most definitely more cost-effective than remediation. Cyber resilience provides visibility and visibility provides the capability to respond.

Share

Editorial contacts

Ivor van Rensburg
IT Public Relations
(082) 652 8050
ivor@itpr.co.za
John Mc Loughlin
J2 Software
(021) 461 1223
john@j2.co.za