"Stu, I think you’ll be interested in my story. If you want to share it, just anonymize it sufficiently. I’ve been very concerned about Business Email Compromise (BEC), particularly because government entities have continually sounded the warning. It’s obviously a very fast way to lose a lot of money, so I determined to prove our own controls. I visited our Finance department head. Did she know about BEC (also known as CEO fraud)? Yes, she said. Was she sure that we couldn’t be fooled into falling for this scheme? She was very emphatic that this couldn’t happen here with the controls we had in place. Well, says I, how about a test? She agreed, and the game was on.
I explained the exercise to our CEO, who agreed to let me spoof his email address. Fortunately for me, he had just recently requested a wire on behalf of one of our CUSOs. Perfect. I originated a phishing message in the KnowBe4 system using the recent wire request as additional bait (hey, sorry folks – I forgot about this one; please expedite ASAP. Sorry, my bad).
I kept our Finance head in the loop, so there could be no way any funds actually left the credit union. She kept insisting that nothing was going to happen. The big day arrived, and I kicked off the campaign to send the request to the Finance group responsible for processing wires.
We didn’t have long to wait. Two minutes after transmission, Person 1 took the email and passed it along to Person 2, who went straight to the Finance head’s office. This is exactly what is supposed to happen. However, our Finance leader took a little jolt. She was expecting to be informed that the group found the message suspicious. Instead, she was asked to confirm the wire so it could move along. A little chill went down her spine. She let the cat out of the bag at that point, and called her group together for a chat.
In the end, it was determined that the wire would never have been sent. However, she was very worried that there wasn’t more immediate awareness of the scheme before it reached her. The main reason their guard was let down just a little was “it came from our CEO”. She used the opportunity to drive home the necessity to follow procedure no matter who it was – our CEO, the POTUS, or Stu Sjouwerman.
Lessons Learned:
- Test, test, test – no matter how comfortable you think you are, nothing beats a good test for assurance.
- If you have upper management’s support, your job is SO much easier. If you don’t have it, I can only recommend one option – update your resume; you’ll never win.
- A good service provider like KnowBe4 can help you accomplish your information security program’s objectives."
Excellent lessons I must say. It's worth doing this kind of ceo fraud test in your own organization and see what the results are.
Update: Right after I sent this to our customers, one of them answered back with this:
"I can do you one better… the following is true and first hand. I still have the emails.
Fortunately, we’ve been training on this, utilizing your “Scam of the Week” along with BEC emails in the phishing tests. A couple of months ago one of my Executive Directors forwarded a BEC email to me. Because of the training, he recognized it as a scam. The odd thing was that it had nothing to do with us. It wasn’t addressed to him or anyone here, and the players were all at another local company, let’s call it ACME, which we do not do business with in any way. Looking through my spam filters, the best I could figure was that the scammers’ email server had, for some unknown reason, BCC’ed my executive director somewhere in the exchange of emails between these other parties.
Never-the-less, we had a real BEC email in our possession. Reading past the standard phishing part of the email, I found the message thread ended in an exchange between two people having a real conversation. The CEO of ACME was instructing the bookkeeper, “Mary”, to transfer $60,000 to an offshore bank. I looked on the company website and, sure enough, the CEO’s email and Mary the bookkeeper’s email were both listed on the “Our Team” page. The last of the email thread went something like this:
CEO: I need $60,000 wired to Mrs. Smith’s bank account to complete this deal. It’s urgent and confidential.
Mary: OK, just get me the bank routing and account number
CEO: Here’s the info (followed by a bank routing number and account number)
Mary: Got it. I’m at the YMCA but I will handle as soon as I get home.
As a professional courtesy, I called ACME’s corporate office and, though it was late in the day, got through to the IT manager. After a few minutes convincing him who I was and that I was trying to help him, I explained the email I had in my possession. He confirmed that Mary was indeed the bookkeeper and I forwarded him the email. A few minutes later I got a reply back that the IT manager had reached Mary on her way from the YMCA to her house. She fully intended to make the wire transfer as soon as she was home. ACME was literally minutes from losing $60,000.
The punch line to this is that the IT manager barely gave me a luke warm thank you for going out of my way to bring this to their attention. What is even more curious is that the real CEO of ACME never reached out to my Executive Director to thank him for saving them $60,000. The best we can figure is that ACME’s CEO has no manners, or, more likely, that the IT manager either took credit for himself or agreed with Mary to downplay the event or not even tell the CEO. Either way, the CEO is left in the dark that his internal systems are vulnerable and his people so easily fooled.
By the way, as a CPA firm, we do these sorts of transfers all the time and after becoming aware of this new threat, largely thanks to KnowBe4, we implemented a set of controls requiring verbal confirmation by an executive director on any unusual wire transfer request.
It doesn’t take much to bullet-proof your staff, and your bulletins and phishing service have been an invaluable tool.
Find out how affordable this is for your organization and be pleasantly surprised: