Could the attempted theft of €4.3m from Meath County Council happen to your business?

Meath County Council

As was widely reported at the weekend, Meath County Council were the victim of an attempted theft of some €4.3 million. A lot of the reportage was pointing to hackers and this being a cyber attack, but based on what is known, in my opinion, it’s not really.

This attempted theft was facilitated by the use of technology, but not necessarily the abuse of it. They’re no longer commenting about it now while the matter is investigated, so we’ll need to await the outcome of that before we know for sure.

However this sort of theft is incredibly common and is known variously as CEO fraud or Business Email Compromise (BEC). Basically what the bad guys do, is send an e-mail or even a text message that appears to come from the CEO, the MD, the Head Honcho, the Big Boss. This e-mail/text is sent to somebody in the finance department and it instructs them to urgently transfer or wire funds to some account that is outside of the EU area. If the transfer was within the EU area, it can be recalled under SEPA regulations, but outside of the area the money can be a taken and never seen again. 

If, in your business, you have a finance function (however big or small) that has a single person who is able to initiate a transfer of funds in any amount, on their own, then you could easily fall victim to this type of fraud. The thieves will have done research on your organisation and will know who is involved in the various departments and how you operate. This enables them to make their e-mail/text much more believable.

The FBI in the US have reported that this fraud has occurred in 80 countries. From October 2013 to February 2016, there have been over 17,600 victims with total losses amounting to over $2.3 billion – that’s an average of just over $130,000 from each victim. This whole area is increasing rapidly and this will happen more and more.

So what can you do to prevent it happening to you?

Well quite simply, have the banking set-up, such that at least two signatories are required for every transaction, no matter the size. Then follow this up with a strict policy on how money transfers can be requested – particularly where the target account is new. If you are simply transferring to a known, established account (belonging to a vendor you deal with for example), then this should be OK (as long as there is a supporting invoice of course). However, if an e-mail requests the transfer of funds to an unknown account, then certain due diligence should kick in. For example, the CEO/MD/Whatever should be contacted by phone and additional verification sought. If the CEO cannot be contacted, then there should be no further action taken until they are reached. Very importantly, the CEO needs to acknowledge this policy and never subvert it, no matter what.

As mentioned earlier, the thieves will have done their homework on the company. The true story I tell during the Internet Security Awareness and Safety Training is about the finance director of a company receiving an e-mail from his boss asking him to urgently transfer funds to a client account in order to secure a new contract. As it’s for a new contract, it’s to go to a new account. Also the amount of the funds is just within the Finance Directors approval range for a solo authorisation. The CEO concludes the e-mail saying that he is just getting onto a long haul flight, so he will now be incommunicado for several hours.

The CEO was indeed travelling long haul that day, which the Finance Director knew, so it all looked fine, so he sets up the transfer on the system and is about to process it when a niggle hits him. There was just something that wasn’t quite right, so he chanced calling the CEO, who answered from the departure lounge at the airport. Of course there had been no e-mail sent by the CEO – it was all a hoax. But if the Finance Director didn’t have that niggle to call, the money was gone, never to be seen again.

So put a strong policy in place and make sure your staff are instructed in it and are never criticised for adhering to the policy. This last part if critical, because if they do get criticised, then the policy won’t get enforced and the risk of theft will become greater.