Brown Hat Security - Business practices in the age of the wire fraud scam

The CEO/CFO wire fraud scam has grown increasingly common as of late, and has very successfully bilked businesses out of great quantities of money. This is, fundamentally, an information security problem and should be treated as such.

The scam goes like this: a CEO is traveling to a foreign country and is at least partially unavailable. The CFO receives an email message, ostensibly from the CEO. The message requests that the CFO transfer funds quickly in order to close a deal - and is timed such that the CFO has to do it immediately in order to manage it before the banks close. The transfer goes through; the CEO returns, and knows nothing about what has happened - the company, unless they get extremely lucky with their financial institutions, is now out a significant amount of money.

This is, fundamentally, an exploitation of authentication and authorization procedures that are stuck in the 20th century, enabled by the relative ease of forging emails.

In information security, we look at a request by a CEO for a wire transfer by a CFO as having an authentication part (the CEO and the CFO know who each other are) and an authorization part (the CEO is authorized to request wire transfers; the CFO is authorized to send them).

The problem here is that the authentication part is extremely weak - in most cases, the CFO is only validating the email address (supposedly something that only the CEO can access) and assuming that it is valid. Some CFOs take care to read the email and determine if it 'sounds' right - if it has consistent language and grammatical constructions as the past emails that the CEO has sent - but that kind of behavior can be easily mimicked.

Emails are very easy to forge. The base email specification has no provisions for proving that an email came from a certain location, much less that a specific individual sent it - many mailservers are set up such that they will blindly accept whatever the sender wants to claim as the "from" address.

Worse, even though there are servers that will attempt to verify that the sender is authorized, there is absolutely nothing preventing someone from setting up a mailserver that does not attempt to verify this information, and relaying through that. It can be done easily and cheaply - a reasonably skilled individual can manage it inside half an hour for a simple setup.

What can businesses do in this environment?

First, changing your business processes to forbid last-minute wire transfers as a valid means of doing business is an excellent first step. Having a documented procedure to request funds transfers that includes some kind of validity check and which forbids the kind of off-the-cuff requests that these criminals take advantage of will immunize your business entirely from this type of scam. Ideally, the CEO and CFO should have some kind of challenge and response sequence memorized to validate each others' identity, regardless of the communications medium, and a separate validation both before and after the wire transfer is authorized to make sure of the details. Arranging the details of any potential wire transfers before a trip will also help to prevent these situations - if a wire transfer is expected, but the details do not match the anticipated details, then something suspicious is likely happening. If a last-minute email for a wire transfer is not a valid business action, then you cannot be scammed with last-minute emails demanding wire transfers.

Secondly, consider investing in public-key infrastructure. PKI requires some expertise to set up and can become expensive in some cases, but allows anyone within the company to validate the identity of anyone sending an email that purports to be from someone in the company. Signing and encrypting emails handles the difficulties introduced by the lack of base capability - so an email that arrives unsigned can be easily seen as untrusted, and not to be relied upon as a valid request.

Finally, obscuring your executives' information is a good third step - the fewer people who know about things like overseas trips, the fewer who can be exploited by criminals looking for a nice convenient heist. If at all practical, take steps to obscure the email addresses of important contacts in the company, and take special care to restrict visibility to calendars and the like - these scams only work when the criminals are aware that the CEO is out of reach and the CFO is available.

Ultimately, businesses are responsible for operating in an environment where people are actively trying to defraud them of their assets. Their processes need to be structured accordingly, and they need to consult with their information security advisors to maintain security of their assets.