You may also be interested in:

Articles

Cyrus Vance, Jr.: Collaboration Needed to Stop Cybercrime

  • By Andrew Deichler
  • Published: 11/23/2015
cyvancectcIf an onsite survey conducted at the 2015 AFP Annual Conference is any indication, cybersecurity is a top concern for all treasury and finance professionals—if not the top concern. So it’s no surprise that the keynote speaker for the CTC Executive Institute at the conference was none other than Cyrus Vance, Jr., District Attorney for New York County and one of the top authorities the fight against cybercrime and fraud.

Vance began with a look at business email compromise (BEC) scams, which have become the top fraud threat to treasury and finance professionals and are the subject of the next Treasury in Practice Guide, to be released in December. In a typical BEC scam, a company employee will receive a transfer request via email from what appears to be a high-level executive or a supplier. However, the request is actually coming from a hacked email account, or an account that has been “spoofed” to appear legitimate.

Vance provided an example of a recent case involving a CFO of a large multinational who received an email from his Italy-based CEO that the company was going to acquire a smaller company abroad. The acquisition would require a one-time wire transfer from the multinational’s U.S. accounts. Moments later, the CFO got an email from someone who claimed to be an attorney in Italy who directed him to wire $600,000 to a specific bank account. None of this seem out of the ordinary, so the CFO sent the money.

Shortly after wiring the money, the CFO suspected that something was amiss. Investigating the initial email, he found that the CEO’s email address was off by one character. He also examined the email from the lawyer, which linked to a website for a law firm—a law firm that didn’t exist.
 
The CFO attempted to recover the money, but found it was wired to a Chinese bank account, where it was then automatically transferred to a number of other accounts. This is why it’s so difficult for BEC scam victims to retrieve their funds. “As we know, when those moneys are moved to that first account, it is just the first stage for those monies to enter into dozens of accounts around the world,” he said.

Ultimately, the company lost about $600,000 in the scam. Vance noted that email scams like these work because the amounts are large enough to make them worthwhile but small enough that they do not attract the highest level of scrutiny.

Vance emphasized that treasury and financial professionals like the ones who attended the Executive Institute are exactly the people law enforcement needs to be talking to and needs to educate. “This is no longer just the responsibility of your IT department,” he said. “You personally are the targets of these email scams. And my hope is that by your attending this executive management session, you will be better prepared to recognize this kind of activity going forward. I also hope you’ll be better prepared to prevent it. That might mean requiring two-step verification for important emails between managers and businesses. It might mean requiring two executives to sign off simultaneously on wire transfers, kind of like launching a missile from a submarine with two keys. It could mean requiring, perish the thought, phone calls.”

The importance of collaboration

Vance noted that despite a steady stream of warnings by law enforcement agencies and endless news coverage, recent studies have found that almost one in four company employees will open a phishing email. That’s actually higher than it was just one year ago. Phishing emails are a key cog in the BEC scam cycle—typically a criminal will send a phishing email to a company employee and gain access to his or her email account. For a lengthy period of time, the fraudster will monitor that employee’s email until they determine who initiates wires and who requests them.

Therefore, Vance encourages more collaboration between the public and private sectors on cybersecurity, and not just on a national level. He urged an “international, cross-sector cooperation that has not yet been achieved.” That’s why the Manhattan District Attorney’s Office, the City of London Police Commissioner and the Center for Internet Security (CIS) announced the Global Cyber Alliance (GCA) in September. “We launched the GCA with a very strong list of partners who participate—major banks, major institutions, businesses and governments,” he said. “Our role at GCA is to be at the forefront of sharing and disseminating the intelligence and expertise needed to defeat cybercrime in real time.”  

Vance encouraged attendees to join the GCA. He recognized that most companies are not typically enthusiastic about sharing information on a data breach, and stressed that the GCA would protect companies’ anonymity whenever possible. When an organization shares information about a new cyberthreat, other vulnerable institutions and perhaps even whole industries might be spared. “That's exactly what the Global Cyber Alliance is trying to address and where we think we can make a difference,” he said.


Copyright © 2018 Association for Financial Professionals, Inc.
All rights reserved.