Organizations should take steps to prevent a form of cyberattack in which criminals impersonating a top executive deceive an employee into transferring large sums of money, according to the American Institute of CPAs.
The FBI has identified so-called Executive Impersonation as a variant of “Business E-mail Compromise” (BEC), a growing scam that has so far cost companies around the world more than $3 billion. According to a recent FBI bulletin, identified exposed losses from BEC have increased 1,300% since January 2015.
In an Executive Impersonation scam, the criminals devise an email that closely resembles the victim company’s email. In the name of a top-ranking executive, the email requests a wire transfer and is sent to an employee who is authorized to process such requests.
The psychology behind Executive Impersonation “is that the employee is motivated to be responsive to the executive’s request and is willing to bypass the typical controls associated with a normal wire transfer request,” the AICPA said in a new report.
Networking firm Ubiquiti Networks disclosed last year that it was the victim of a $46.7 million Executive Impersonation fraud.
“This sophisticated type of cyberattack is stealing millions of dollars from companies in a manner that should be particularly concerning to company stakeholders because it persuades employees to ignore internal controls,” Annette Stalker, chair of the AICPA’s Forensic and Litigation Services Committee, said.
“Executive Impersonation bypasses the security systems that company IT departments have put in place to neutralize cyberattacks by going where companies and their employees are most vulnerable, their email systems,” she added.
The AICPA report recommends that companies, among other things, increase the training for employees responsible for wire transfers, with a focus on education about about BEC schemes; review policies and procedures for requesting, initiating and approving wire transfers; and conduct a risk assessment of the wire transfer process.
“Awareness, training and repetition are the best steps you can take to prevent Executive Impersonation fraud,” said David Zweighaft, a member of the AICPA’s Fraud Task Force who wrote the report.