As any high-profile person will know, having their emails hacked is one of the risks of the job. Just ask Hillary Clinton. Such risks have been in the news again recently, with the hacked emails of Hunter Biden – the US president’s son – and those of the former head of the UK’s Secret Intelligence Service both making headlines.
Elon Musk put the Biden emails in the news again with the publication of documents that explained Twitter’s prior decision to block a news article that referred to them. Also last week, Computer Weekly published its analysis of the emails of the former head of MI6, which were believed to have been hacked and leaked by Russian intelligence.
If the head of one of the most secretive organisations in the world is being hacked, it goes to show that no one’s inbox is safe. For treasurers, as the holder of the corporate purse strings, it is a reminder they need to take precautions to protect themselves – and their emails. The risks for treasurers are typically financial, and they are most likely to be targeted in a spearphishing fraud that fools them into making a transaction into the wrong hands.
The US Federal Bureau of Investigation gives a typical example of a business being contacted by a supplier who informs them they have changed their bank details – with the intention of diverting legitimate payments into the criminals’ account.
The steps involved in this type of scam involve a spoofing of an email account or website. Then the target will be sent an email that looks like it is from a trusted sender. The target will be fooled into clicking on a link and unwittingly installing malware on their system, which then enables the criminals access to the company’s systems. From there they can glean information such as the patterns of its billing and invoices, for example. The criminals lurk there, observing the regular patterns of the organisation, reading all the emails, and possibly noting passwords and bank account information. They may also note the routines of the key individuals in the company and when they are on leave. All this information will be used in preparation for a social-engineering attack, which might be timed for when they know the CEO, for example, is travelling and why they have an unusual payment request.
The FBI’s Internet Crime Complaint Center (IC3) notes that it had received nearly 20,000 business email compromise complaints in 2021, with adjusted losses at nearly US$2.4bn. What is perhaps more worrying is the evolving nature of the scams. “Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult,” the IC3 states in its most recent report.
These days, people are likely to be scammed via a virtual meeting platform, such as Zoom. A CEO’s email may be compromised and their account sends virtual meeting invites. When the employees attend it is not actually the senior leader, but rather a still photo with no audio, or a deep fake audio of them. The deepfake will claim their connection isn’t working properly and they will send an instruction to transfer funds via the platform’s chat function, or in a follow-up email, for example.
When it comes to recognising such scams, the basics still apply. The UK’s National Cyber Security Centre, for example, states the tell-tale signs of a phishing attack include transactions that are out of the ordinary, come from a high-ranking person, and have an urgency to them. Such requests should be verified by another channel that is only known to the people authorised to make high-value transactions on behalf of the organisation. With basic steps such as these, hopefully companies will be able to keep themselves out of the headlines.