The BBC reported on an interesting take on Social Engineering last week, highlighting the fraud that had been inflicted on French company Etna Industrie. The company had become the latest victim of what is dubbed “fraude au president” or “CEO fraud”. The company, established for nearly 75 years lost around €100,000, although it could have been a lot worse.
The fraudsters used publicly available incorporate data gleaned from the internet to create very authentic looking emails, sent to the firm’s accountant, instructing them to pay money to a series of international banks in relation to the hush-hush acquisition of a new company. Whether the fraudsters were also able to find out that the company’s CEO was out of the office using Social Media as well is not known, but they “pre-warned” the accountant by phone claiming to be the lawyer involved in the deal that the email would arrive with the instructions they should secretly follow.
The company are by no means the only victims. French businesses have lost an estimated €465 million through similar frauds, and companies such as KPMG and Michelin are among the victims. In the US the number is more like $700m, although the real number could be much higher as some firms will not have reported the theft to the authorities.
Because of the research carried out prior to the fraud, and the way it is specifically targeted to the right person in the account, the chances of success are increased. Most anti-malware programmes look for certain characteristics in phishing emails, but in these instances they are well written, will not contain a tell-tale attachment and come from a legitimate looking address. In addition, junior staff are less likely to push back on an instruction that appears to have originated from the senior management, especially if a sense of secrecy or urgency is emphasised by the email and a phone call.
Whilst it is easy to say, the education of all members of staff in how to deal with such requests is the most effective prevention. Creating standard operating processes for ad-hoc requests to transfer money out of the company as well as clear authorisation levels can ensure that any attempts to defraud a company are prevented before any damage to be inflicted.