Since 2013, more than $12 billion has been unwittingly sent by 78,617 firms through the successful exploitation of CFOs and finance leaders in the U.S., UK and Europe. These usually circumspect finance professionals have fallen prey to targeted social engineering and business email compromises euphemistically referred to as phishing when the target is small fry or whaling when the target is a corporate boss or well-heeled individual. In all, more than 50,000 CFOs have appeared on detailed databases typically used for targeted marketing purposes, which have been obtained by cyber criminals and fraud rings largely based in Nigeria with links in Eastern Europe and Russia among other locations.
Familiarity breeds contempt and there is nothing more contemptuous than exploiting an unsuspecting finance or accounting executive to part ways with a company’s hard-earned cash. A phishing or whaling email typically reads like a personal message from the CEO or boss establishing a familiar voice and a sense of urgency for a wire transfer to be made to a designated account by a designated day. Companies that do not have dual-signatory processes in place are particularly easy prey for this scourge, as evidenced by the large haul scammers have absconded with. Companies without proper internal controls or cybersecurity standards are similarly easy targets for these attacks. Often two signatories are required on higher wire transfer or payment amounts, which is a well-known fact to exploiters who may demand amounts under the financial radar and hidden by a veil of familiarity and urgency.
While the scale and financial sums reveal how far and wide this dragnet has been cast, the true nature and costs of phishing and whaling excursions may be many multiples greater. The reason simply, is that most of these events, especially the successful (or unsuccessful from the victim’s perspective) go underreported, if they are reported at all. In private conversations with hundreds of CFOs across the U.S., when asked to raise their hands if they have ever fallen prey to one of these exploits, 60 to 70% of the hands go up. These admissions are often accompanied by now comical stories of how they “fell for it,” and how persistent the threats really are, easily springing over company firewalls and IT perimeter defenses. Pairing this cyber risk and financial fraud with that other ever-present scourge, ransomware, which can cripple entire cities, raises the stakes for risk management, business continuity planning and internal controls, which are the three most effective lines of defense. Ironically, while thousands of companies have grown accustomed to writing off billions each year in avoidable losses, the cures against these threats are often low-cost and high-impact.
For one, companies ought to carry proper insurance against these risks, which would include a fidelity or crime policy, as well as a stand-alone cyber insurance program that incorporates social engineering or ransomware as a covered peril. Even the process of getting these risks underwritten and completing insurance applications, creates knowledge transfer on what constitutes a good risk and, therefore, what a company can do to close known loopholes in their operations. Additionally, implementing and adhering to strong internal controls, segregation of duties and imposing dual-signatory requirements on outbound wire transfers is a good measure not only for cyber hygiene and fraud prevention, but for know your customer (KYC) requirements. Adding in the growing specter of personal cyber extortion or “sextortion” wherein an individual is targeted with the threatened exposure of their private or undesirable online behavior if a payment is not made, and whales may succumb to outside pressure. The combination of these threats, which do not exist in a vacuum of each other, can prove particularly effective against whales or high-flying corporate CEOs and high-net worth individuals whose every move, voice, tone and tenor are often telegraphed for the world to see and cyber criminals to mimic and exploit.
Ultimately, the best defense against the rise of social engineering attacks lies between the keyboard and the chair in targeted companies. Rather than immediately reacting to an urgent wire transfer request at 3:00 AM using familiar language, perhaps CFOs should pick up the phone and call their boss or a colleague for a second opinion. Most often this will quickly untangle the dragnet and result in sighs of relief and an awkward chuckle. Firms that work to destigmatize cyber threats and threat reporting make material improvements in their readiness that money and technology solutions cannot buy. Low-cost, high-impact examples include internal phishing and whaling excursions to simulate “what if” scenarios and isolate and train groups that took the proverbial bait. Firm or division-wide participation, particularly at the highly desirable senior executive or whale levels in these fire drills can help normalize the process creating a veritable human first alert system.
All risks find the path of least resistance, so as more desirable targets harden the prospect of whaling and phishing excursions moving down market is highly likely. Small to mid-sized firms have so much more to lose in these attacks and they do not enjoy the fortress balance sheets of large companies that can write down the financial foibles of errant CFOs. They are also the most susceptible to a weak IT security bench, which means that when an attack occurs, or an exploit is discovered, they will likely panic, make mistakes and succumb to the threat or ransom demand. These firms, sadly, are also the least likely to be insured and most likely to go into severe financial duress following a persistent attack. Resolving the twin scourge of ransomware and business email compromises at a national scale, where the U.S. is on the receiving end of more than 50% of these attacks, calls for more strategic approaches on cyber risk sharing, as well as an offensive strategy raising the costs for the attackers. Until then, these threats will continue unabated and largely uninsured driving home the point that prevention is always better than cure.