German Company Loses $44 Million to One Business Email Compromise Scam

/

GUEST BLOGGER

Ron Cresswell, J.D., CFE
ACFE Research Specialist

As discussed in a recent Fraud Examiner article, the FBI has issued several warnings recently about business email compromise (BEC) scams. In a traditional BEC scam, a fraudster uses a fake email from a high-level executive to trick an employee into wiring funds to the fraudster. According to the FBI, there has been a dramatic increase in BEC-related losses since January 2015. This month brings more troubling news.

The BEC Attack on Leoni AG
In one of the costliest BEC scams yet, the German company Leoni AG announced that it lost more than $44 million to fraudsters. Leoni AG is the largest supplier of electrical wires and cables in Europe. The company has more than 76,000 employees in 32 countries, including Romania, which is where the fraud began.

According to reports, the fraudsters used cloned emails to target a chief financial officer (CFO) working in the company’s factory in Bistrita, Romania. The CFO received an email asking her to wire $44 million to a specific bank account. The email appeared to be from one of the company’s executives in Germany who frequently requested wire transfers by email. Because the request followed the company’s usual procedure, the CFO approved the wire transfer.

The scam seems simple, but it required a significant amount of advance work by the fraudsters. Although details are still sketchy, the fraudsters probably used social engineering and phishing emails to gather crucial information about the company. That information included the company’s internal procedures for requesting and approving wire transfers. For example, Leoni AG has four factories in Romania, but only the one in Bistrita was authorized to make wire transfers. With this information, probably gathered through months of network surveillance, the fraudsters were able to craft a simple but effective BEC scam.

Romanian authorities are still investigating the theft, which was reported by Leoni AG in August. The identities of the fraudsters are unknown, but there are reports that the money was wired to a bank in the Czech Republic.

Could It Have Been Prevented?
Could Leoni AG have prevented the theft? That’s unclear based on current information. However, the following measures might have stopped it:

  • Two-step verification procedure. The fraud probably would have been discovered if the CFO called the company’s German headquarters to confirm the wire transfer request. Many companies require that kind of two-step verification procedure for wire transfers.
  • Employee education. The theft also might have been prevented if the CFO knew enough about BEC scams to be suspicious of the $44 million request. That is why companies should educate their employees about BEC scams and other common frauds.

Conclusion
Fraud professionals should continue to follow news of the Leoni AG case, which is still in the early stages of investigation. It’s the story of a sophisticated, multinational company that lost $44 million through a relatively simple BEC scam. As more information comes out, the Leoni AG case may provide some valuable lessons. 

Fraudsters First Across Finish Line

/

GUEST BLOGGER

Emily Primeaux, CFE
Assistant Editor, Fraud Magazine

I’ll admit it: I am a sports nut. It doesn’t matter what the event is, the combination of tough competition and sheer athleticism is enough to glue me to the TV. I once turned on a Division II collegiate women’s bowling competition in my hotel room while spending a night in Mobile, Alabama. Not because there wasn’t anything on, but because I wanted to watch it.

So of course I’m beyond thrilled that the Olympic games are finally here. I’ll don my red, white and blue and spend the next three weeks supporting the gymnasts, rowers, divers, weight lifters, runners, footballers… I’ll even tune into handball. 

However, as with any other huge event, the Olympics produce all kinds of vulnerabilities when it comes to fraud. And of course, the spotlight has been on Brazil in the months leading up to the games due to reports of unlivable conditions in the athletes’ village, the threat of the Zika virus and alleged corruption in Rio de Janeiro. Beyond what the media reports, though, is the tough reality that fraudsters will find a way to capitalize on susceptible targets.

Beware unauthorized ticket sources
Consumers scrambling for last-minute tickets should be wary of fraudulent websites promising entry to events — including the opening and closing ceremonies — despite selling them in breach of official restrictions. Scammers register domains containing the keywords “rio” or “rio2016” which mimic official ticketing sites. By registering the domains, it makes the site look more credible. Users who input their credit card details into these sites are giving cybercriminals access to their bank accounts.  

According to The Guardian, an unauthorized ticket source under the name of “bookriogames2016.com” claims to be “a secure and transparent platform for buying tickets for the Rio Olypmic (sic) Games” and tells users “you’re protected with us.” But according to the consumer group Which?, purchasers run the risk of not being allowed into any of the events and won’t be eligible for a refund.

Olympic organizers say that as of July 30 more than 80 percent of the tickets available for the Rio Olympics had been sold. Fans looking for tickets should be careful and buy only from the official ticketing website

Phishing for fools
Security experts are warning fans to be aware of spam and phishing campaigns surrounding the games. One scam in particular sent fake lottery win notifications supposedly from the Brazilian government and the International Olympic Committee. To claim their winnings, the recipients are asked to provide personal details. Of course there is no prize — unless you count identity theft!

Other fraudsters use spam mail or online banner advertisements to “sell” souvenirs related to the Olympics. Experts strongly recommend not buying anything advertised in these methods. Again, visiting the official Olympics website to purchase merchandise is the safest bet.

Enjoy the Opening Ceremonies tonight! I know I will.

Fraud Displaced During EMV Transition

/

GUEST BLOGGER

Zach Capers, CFE
ACFE Research Specialist

Last year, I wrote about the U.S.’s transition to EMV credit cards and the associated fraud liability shift from card issuers to merchants. The article mentioned the possible side effect of fraud being displaced from in-store to online transactions as has happened in many countries that have undergone similar transitions; one year later, the initial data is in and that possibility is now a reality.

A new report from ACI Worldwide shows that online credit card fraud during the 2015 holiday season increased by 8 percent over the 2014 holiday season. Furthermore, the report shows that 1 out of every 67 online credit card payments was a fraudulent attempt compared to 1 out of 72 the year previous. While there are many factors at play and online purchases continue to increase year over year, the findings correspond with increases expected by industry experts and follow the trends previously experienced by other countries.

Meanwhile, the transition to EMV credit cards has resulted in other forms of turmoil for merchants big and small. Visa was recently sued by Wal-Mart over the card issuer’s insistence on a signature verification system rather than a PIN requirement that Wal-Mart and many others claim would significantly increase security for customers while reducing fraud. Wal-Mart’s central claim is that Visa makes more money by processing signature based transactions than they would with a chip and PIN system, thus profiting at the expense of retailers and their customers.

Another complication wrought by the adoption of the new credit card systems is the slow certification process for new credit card terminals required by last year’s liability shift. A New York Times report in March documented the plight of mid-sized business that were still waiting for their new payment terminals to be certified despite having them in place since the November 2015 deadline. Some merchants argue that relationships between financial institutions and certification firms leave little motivation to speed up this process since uncertified merchants must continue to pay for any fraudulent activity incurred on their terminals.

On Capitol Hill, Wal-Mart and others seem to have an ally in U.S. Senator Dick Durbin who recently assailed the credit card industry’s refusal to allow PIN based transactions and the delayed certification process. The senator also echoed the frustration of many consumers regarding long waits at retail checkout counters caused by slow software processing in new card terminals.

As more consumers adapt to their new EMV credit cards and new merchant terminals are certified and updated with improved software, some of the unexpected issues with EMV adoption will be resolved. Unfortunately, many of the most significant problems with the transition were either widely predicted or entirely avoidable.

Understanding and Mitigating Smartphone Risks

/

ONLINE EXCLUSIVE

Nikola Blagojevic, CFE, CISA

In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."

Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:

  • Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
  • User identification and passwords (to emails, social networks, etc.).
  • Mobile applications that record PII.
  • Geolocation data about the smartphone user.

Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.

So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.

Understanding and mitigating the risks

The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:

  1. Data leakage resulting from device loss or theft.
  2. Unintentional disclosure of data.
  3. Attacks on decommissioned smartphones.
  4. Phishing attacks.
  5. Spyware attacks.
  6. Network spoofing attacks.
  7. Surveillance attacks.
  8. Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
  9. Financial malware attacks.
  10. Network congestion.

We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.

Here are various measures that can help reduce the risks associated with mobile devices:

  • Encrypt mobile devices.
  • Regularly update mobile devices' applications and operating systems.
  • Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence.  For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be:  "t@1rbfw@1pc."

CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)

Find even more tips on how to guard your PII in the full article on Fraud-Magazine.com.

Why U.K. Police are Struggling to Prosecute Cyberfraud

/

GUEST BLOGGER

Martin Kenney
Managing Partner of Martin Kenney & Co., Solicitors

The answer to the failure to prosecute more than one in 100 cases of fraud may lie in civil investigations

The Times recently reported that U.K. police forces were struggling to deal with a wave of online fraud cases.

Fewer than one in 100 cybercrimes were being followed up, it said, with many of those having originated overseas.

The scale of offending is so great that officers rely on a computer program to assess whether cases are worth following up, wrote journalist Andrew Ellson.

Its not surprising that the police are coming under pressure and being criticised. Our teams have long experience in the fields of law enforcement and investigative work, and these type of crimes are notoriously difficult to prosecute. They require complex investigations which are reliant upon technical expertise – expertise often outside the normal policing skills toolkit – and many are perpetrated by foreign gangs operating in overseas jurisdictions.

Although the U.K. is expanding its cybercrime fighting capabilities, cross-jurisdictional issues can see investigations stagnate. Requests for overseas assistance get bogged down in diplomatic channels, allowing the culprits ample time to cover their tracks, move money and evade justice.

As a specialised asset recovery and retrieval law firm focusing on fraud cases, we have proposed to police here the possibility of using the private sector, which would allow asset-recovery experts such as ourselves, and partner liquidation experts, to assess whether civil recovery may be possible and cost-effective. Without that option, we know that many victims will be left feeling frustrated and disappointed at the lack of action on their behalf.

Our proposal may be in its infancy, but its clear authorities are being inundated with fraud. Thanks to austerity cuts, police are unable to investigate crimes which, historically, they might have tackled. Although the National Crime Agency and some of the regional policing units do embark on civil recoveries when the targets are out of the reach of normal criminal prosecution, its still only a small percentage of all such crimes.

For a civil route to become viable, losses need to be significant before an investigation becomes cost effective. However, some frauds involve multiple victims who yield comparatively small sums, but when added together can become a significant illicit gain for the fraudster. The question for police is this: would it be better to relieve the culprits of their ill-gotten gains through the civil courts or simply turn a blind-eye due to the unlikelihood of a criminal prosecution?

I believe that many victims would rather see some of their monies returned, even if legal fees had to be paid, than know the culprits were able to enjoy the high-life on the back of the entirety of their loss.

It must be remembered that the majority of these offences are committed by organised crime groups involved in all sorts of other serious crimes (human trafficking, drug trafficking and even the funding of terrorism). Anything we can do to frustrate their activities should be welcomed.

Martin Kenney is Managing Partner of Martin Kenney & Co., Solicitors, a specialist investigative and asset retrieval practice focused on multi-jurisdictional fraud cases. www.martinkenney.com | @MKSolicitors