The 'bogus boss' email scam costing firms millions

The company got this money back after the bank in question was found to be at fault by the French courts. However, the bank is appealing against the decision.
“It’s like when your house or apartment gets broken into,” says Ms Gratzmuller. “You feel vulnerable. People get into your life and they know things about you and you have no clue, and they take things from you.”

French connection

But the case of Etna Industrie is small fry compared to the scale of “fraude au president” across France as a whole.
French businesses have lost an estimated €465m since 2010, official figures suggest, with 15,000 firms falling victim to the scam, including big names, such as Michelin, KPMG and Nestle.
The biggest fraud was for €32m, and a further €830m could have been stolen if more phishing attacks had proved successful, say French police.
Matthieu Bares, deputy head of their financial crime division, says there are one or two attacks on French companies every day, but that “plenty of victims don’t report the fraud”.
But why France in particular?
Gilbert Chikli, a French-Israeli man, may have a lot to do with it. He defrauded more than 30 banks and companies out of €7.9m during 2005 and 2006, pretending to be, variously, company heads and secret service agents.
Chikli fled to Israel in 2009 and in his absence was sentenced to seven years in prison last year.
With no extradition agreement between Israel and France, Chikli remains living in Tel Aviv, and a film based on his life is being made – starring French president Francois Hollande’s girlfriend, Julie Gayet.
It is still predominantly French-Israeli gangs running the fraud, police say, and their ability to impersonate French bosses has seen France bearing the brunt of the onslaught in Europe.

Global spread

But CEO fraud is not just a French problem.
In the US, the FBI’s internet crime centre or IC3 has been tracking “business email compromise” scams, as it calls them, and reckons about 7,000 companies have been defrauded of more than $740m (£508m; €682m) over the last two years.
The real figure is likely to be much higher though, given how reluctant many companies are to admit being defrauded in this way.
“We think more than $2bn has been lost to business email scams over the last two years,” says Aaron Higbee, co-founder and chief technology officer of PhishMe, a US security company specialising in educating staff about phishing attacks.
One US company, Ubiquiti Networks, a wireless network equipment manufacturer, admitted to wiring $39.1m to fraudsters after falling victim to this type of scam repeatedly last year.
“Fraudsters are increasing the intensity of attacks,” says Amichai Shulman, chief technology officer at data security company, Imperva. “So it only takes a tiny percentage to get through to be effective. There are not enough policing resources in cyberspace to monitor them all.”

Social engineering

But why is CEO fraud proving so effective?
Mr Higbee suggests it because this type of email can more easily bypass spam filters and antivirus security systems.
“It doesn’t need attachments carrying malware, it’s just a conversation,” he says. “It’s very low-tech and a big departure from the large, automated malware attacks we’re used to.”
Fraudsters use publicly available corporate data gleaned from the internet to make the emails as convincing as possible, finding out who the bosses and senior financial officers are from social networks like LinkedIn, for example.
Staff are less likely to question instructions purporting to come from on high, and it’s this psychological manipulation – often accompanied by a sense of urgency – that is a major factor in the fraud’s success.
“It will spread because it’s too good to be ignored,” warns Jerome Robert from French cybersecurity company, Lexsi. “[Criminals] can make so much money in a very small amount of time, with minimal risk.”
Businesses should be on their guard.