Get access to the exclusive HR Resources you need to succeed in 2018!
Training, policies and tools to help HR prevent and respond to harassment claims.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Experts say executives need to be especially cautious
Since October 2014, hackers have been running two scams simultaneously.
First, they’ll hack into a company’s computer system and hold some computers hostage with ransomware. Then, while IT tries to ascertain how to fix that problem, the hackers will hijack an executive’s e-mail account and send an e-mail to an employee with access to the company’s finances to wire money for a seemingly valid business reason.
The FBI reports that companies worldwide have lost more than $215 million to this scheme.
On Jan. 22, 2015, the FBI’s
Internet Crime Complaint Center (IC3) issued a warning about the fraud, which it calls the
Business E-mail Compromise (BEC).
“Some victims reported being a victim of various scareware or ransomware cyber intrusions, immediately preceding a BEC scam request,” according to the alert issued by IC3, which is a partnership between the FBI and the National White Collar Crime Center.
It’s “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments,” according to the warning.
How the Dual Scam Works
“This is relatively new,” Stu Sjouwerman, founder and CEO of KnowBe4 LLC, which provides web-based security awareness training. He told
SHRM Online in a telephone interview that “the FBI updated its existing alert because this is a spin-off of an existing one. … But this flavor [with the ransomware being sent first] is pretty new and the attacks have become more sophisticated over time.”
According to the IC3 alert, “victims may also first receive ‘phishing’ e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc.).”
During a ransomware attack, a ransom note appears on an employee’s computer screen informing the employee that his or her files have been locked. In order to retrieve the locked files, the employee must pay a fee, usually a few hundred dollars; the fee amount can double over the course of days or weeks. With this new dual scam, while the company’s IT team assesses how to unlock the files or debates whether to pay the ransom, another employee who usually handles money is sent a “spoofed” e-mail from what looks like a reputable source—usually a top executive—requesting money be wired for a business purpose.
The fraudulent wire transfer payments are sent to foreign banks and may be transferred several times before being quickly dispersed, according to the FBI alert. The payments usually wind up in a bank account in Asia, where the thieves withdraw the funds.
“You’ll never get that money back,” Sjouwerman said.
The IC3 said it has received complaints from victims in every state in the U.S. and from 45 countries. In all, nearly 2,000 victims have fallen for some variation of the scam since in which both corporate e-mail and personal web-based e-mail have been targeted.
Companies have lost nearly $180 million in the United States; foreign victims have lost more than $35 million.
“The FBI assesses with high confidence the number of victims and the total dollar loss will continue to increase,” the alert stated.
What HR Can Do About Phishing Attacks
“Alert your executives,” Sjouwerman said. “These scams are getting more sophisticated by the month, so be on the lookout.”
The FBI’s IC3 suggests that businesses:
The FBI also suggests organizations use protocols such as a two-step verification process for wire transfers.
“What I would strongly recommend is … make sure that you and your bank have very clear agreements that for any wire transfer over a few hundred dollars, there needs to be a phone verification,”
“You have to initiate the communication.”
The FBI added that organizations should arrange this second-factor authentication “early in the relationship and outside the e-mail environment to avoid interception by a hacker.”
Companies can also instruct employees to:
Getting executives to take the threat seriously is becoming easier, Sjouwerman said, especially since he said 2014 will be forever known as “the year of the breach.”
According to the research group Ponemon Institute, 43 percent of survey respondents in 2014 said their companies had experienced a data breach, compared to 33 percent the year before.
Yet, “only 29 percent of respondents say their company’s board of directors, chairman and CEO are informed and involved in plans to deal with a possible data breach,” according to Ponemon’s second annual study on data breach preparedness,
Is Your Company Ready for a Big Data Breach?
If HR professionals are struggling to get their executives to take cybersecurity more seriously, Sjouwerman suggests using business cases as examples of what could go wrong.
“You have to tell those stories, real stories that illustrate that [executives] are the people with the biggest targets on their backs and this needs to become real to them,” he said.
Aliah D. Wright is an online editor/manager for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Choose from dozens of free webcasts on the most timely HR topics.
SHRM’s HR Vendor Directory contains over 3,200 companies