The 'bogus boss' email scam costing firms millions
- 8 January 2016
- From the section Business
It's a boss's worst nightmare.
You return from a trip to find that hundreds of thousands of dollars has been transferred out of company accounts - apparently at your instruction.
But you have no idea what your accountant is talking about - you didn't give any instructions.
This is what happened to Carole Gratzmuller, boss of a medium-sized French company called Etna Industrie.
Her firm, which employs 50 people and has been making industrial equipment on the outskirts of Paris for nearly 75 years, was the victim of a specialised email phishing attack dubbed CEO fraud, or "fraude au president" as they call it in France.
"My accountant was called on Friday morning," she tells the BBC. "Someone said: 'You're going to get an email from the president, and she's going to give you instructions to conduct a very confidential transaction and you're going to have to respond to whatever instructions she gives you'."
The accountant was then emailed from an address with Ms Gratzmuller's name in it, saying Etna Industrie was buying a company in Cyprus.
The email said the accountant was going to get a phone call from a consultant working with a lawyer, who would then give her instructions as to where to transfer the money.
"Everything happened between 9 and 10 o'clock," says Ms Gratzmuller. "The accountant probably got about 10 emails in that time and three or four different phone calls.
The fraudsters pressured her into acting quickly, without thinking - a standard feature of this type of phishing fraud.
"They didn't give her a moment to sit back and think that this was unusual," she says.
Before noon the accountant had authorised wire transfers totalling €500,000 (£372,000; $542,000) to foreign bank accounts.
Luckily for Etna Industrie, three of the wire transfers were held up by the banks, but one for €100,000 went through.
The many faces of business email fraud
- Someone poses as a boss of a company instructing staff to make a wire transfer into the fraudster's account
- Fraudsters pose as the IT services department of a bank saying they want to make a test transfer - but it's not a test
- Fraudsters claim to be a supplier and ask for outstanding invoices to be paid into a new bank account
- Employees click on links within phishing emails containing malware which authorises many small payments to the fraudster's account
The company got this money back after the bank in question was found to be at fault by the French courts. However, the bank is appealing against the decision.
"It's like when your house or apartment gets broken into," says Ms Gratzmuller. "You feel vulnerable. People get into your life and they know things about you and you have no clue, and they take things from you."
But the case of Etna Industrie is small fry compared to the scale of "fraude au president" across France as a whole.
French businesses have lost an estimated €465m since 2010, official figures suggest, with 15,000 firms falling victim to the scam, including big names, such as Michelin, KPMG and Nestle.
The biggest fraud was for €32m, and a further €830m could have been stolen if more phishing attacks had proved successful, say French police.
Matthieu Bares, deputy head of their financial crime division, says there are one or two attacks on French companies every day, but that "plenty of victims don't report the fraud".
But why France in particular?
Gilbert Chikli, a French-Israeli man, may have a lot to do with it. He defrauded more than 30 banks and companies out of €7.9m during 2005 and 2006, pretending to be, variously, company heads and secret service agents.
Chikli fled to Israel in 2009 and in his absence was sentenced to seven years in prison last year.
With no extradition agreement between Israel and France, Chikli remains living in Tel Aviv, and a film based on his life is being made - starring French president Francois Hollande's girlfriend, Julie Gayet.
It is still predominantly French-Israeli gangs running the fraud, police say, and their ability to impersonate French bosses has seen France bearing the brunt of the onslaught in Europe.
But CEO fraud is not just a French problem.
In the US, the FBI's internet crime centre or IC3 has been tracking "business email compromise" scams, as it calls them, and reckons about 7,000 companies have been defrauded of more than $740m (£508m; €682m) over the last two years.
The real figure is likely to be much higher though, given how reluctant many companies are to admit being defrauded in this way.
"We think more than $2bn has been lost to business email scams over the last two years," says Aaron Higbee, co-founder and chief technology officer of PhishMe, a US security company specialising in educating staff about phishing attacks.
One US company, Ubiquiti Networks, a wireless network equipment manufacturer, admitted to wiring $39.1m to fraudsters after falling victim to this type of scam repeatedly last year.
"Fraudsters are increasing the intensity of attacks," says Amichai Shulman, chief technology officer at data security company, Imperva. "So it only takes a tiny percentage to get through to be effective. There are not enough policing resources in cyberspace to monitor them all."
But why is CEO fraud proving so effective?
Mr Higbee suggests it because this type of email can more easily bypass spam filters and antivirus security systems.
"It doesn't need attachments carrying malware, it's just a conversation," he says. "It's very low-tech and a big departure from the large, automated malware attacks we're used to."
Fraudsters use publicly available corporate data gleaned from the internet to make the emails as convincing as possible, finding out who the bosses and senior financial officers are from social networks like LinkedIn, for example.
Staff are less likely to question instructions purporting to come from on high, and it's this psychological manipulation - often accompanied by a sense of urgency - that is a major factor in the fraud's success.
"It will spread because it's too good to be ignored," warns Jerome Robert from French cybersecurity company, Lexsi. "[Criminals] can make so much money in a very small amount of time, with minimal risk."
Businesses should be on their guard.
Listen to BBC World Business Report's How not to be a victim of internet scams
Follow Technology of Business editor Matthew Wall on Twitter: @matthew_wall