Did you know that Business Email Compromise (BEC), also known as CEO Fraud, is still a threat? And, it’s not just the stolen money that causes executive headaches. It can damage your stock price and reputation with major customers. And, in the case of FACC, it cost the CFO, Minfen Gu, her job.
Here’s what Computer Weekly said about the fraud, announced on January 19th:
A $54m cyber fraud against Austria’s FACC has sent the aircraft supplier’s share price reeling. The company’s share price fell nearly 17% in response to news of the company’s loss, which is one of the greatest losses to date caused by cyber fraud, according to Bloomberg. The loss reported by the supplier to companies such as Boeing and Airbus is way above the average cost of the worst breaches in the UK of between$1.9m and $4.4m, reported by PricewaterhouseCoopers (PWC) in 2015.
So, how do you prevent these attacks from succeeding?
In my experience, most companies are over spending on technology to prevent data and money theft while downplaying the people, process, and management aspects. As with FACC, the recent theft of W‑2 information from Moneytree was successful mostly because of weak internal processes and poorly trained people. And there’s a lot you can do in these areas for little or no added expense.
Training people to detect and resist attempts to trick them into sending money (or sensitive data) to criminals is a top action everyone should be taking right now. A good approach is to combine a strong internal communications campaign in conjunction with a software-as-a-service anti-phishing testing service, such as PhishMe or one of its competitors. Expect to pay about $20 per user, per year.
On that note, organizations need to make sure their management team fully supports their cybersecurity program, especially first line supervisors. Why? When people hear about their responsibility to prevent cyber crime, their first question will be “is this for real?” and then they will wonder “how will this affect me?” Their supervisor will either encourage people to join the program, or kill it, depending on how they answer.
Finally, people have to feel safe to respectfully challenge any suspicious requests. Otherwise, they will be stuck between the fear of being fired for not immediately complying with the request and the fear of making a big mistake.
What else would you do to protect your organization from CEO Fraud?