Business Executive Compromise or Fraud

This is a follow-up to a post to an email alert that went to our customers regarding executive fraud as outlined in an article by Verne Harnish of Gazelles and Scaling Up. CEO, and business executive compromise, continues to rise. Verne wrote an update to the post above with some key lessons learned from his experience. The full article is located here, but here are the highlights:

Coaches Provide Sense of Security (PLEASE READ) -- ...and I failed. Wow, first, hundreds of you emailed and shared similar stories - this problem is rampant. And we hosted a roundtable of CEOs at the Growth Summit to further discuss. So what are the lessons:
  1. I became cavalier/lax about security, thinking it couldn't happen to me. HUGE mistake - and something the hackers bank on - we're easy prey. Read Mark Goodman's bestseller Future Crimes if my experience didn't wake you up!  
  2. Assume ALL your email is being read - and with the "hole" announced yesterday in Microsoft Windows 10, giving hackers deep access (likely the source of my breach), I'm not sure you can keep email safe even using VPNs (strongly recommended, so I'm using more diligently when I travel).  
  3. I say MIGHT because we don't know. So I've taken the position of Google and I'm building all our financial and sensitive information protocols around one assumption - NO email is safe. I heard of many scams where invoices were intercepted and bank account info changed - so your payables department thinks it's paying a regular bill and wires the funds to the wrong account - ugh. One firm was defrauded $10 million this way.  
  4. So what do you do? It sucks, but ALL financial transactions are now reviewed by me via a PHONE call with TWO people. Then I have to take the time, via my CEO Portal, and use my dongle (key) to OK the transactions.  
  5. NO sensitive info is sent via email - account numbers, credit card numbers, etc. - I make a phone call.  
  6. ALL bank wire info included on invoices is varied by PHONE with the supplier we're paying before being entered into our CEO Portal for dual authentication approval. Once it's in the system, we then pay that vendor via that account - not what might be on a future invoice. And if they send a change of bank info, it's verified via a PHONE call to the vendor (verifying the phone number online).  
  7. Sadly - 90% of theft is an internal job! So build your protocols with this in mind as well. TWO people have to verify everything.
BTW, this is another use of the daily huddle - to verbally verify information. The short of it - you can't trust email, no matter what you do.
November 4th, 2016 |Categories: Social Engineering, Security, Gazelles, BEC

Recent Posts