A new development has occurred in the FACC cyber “fake-president fraud” case.
The Chinese-owned plane parts maker who lost, roughly, $61 million in a funds transfer fraud scam is suing their former CEO (Walter Stephan) and CFO (Minfen Gu) for $11 million in damages, stating they failed in their obligation to implement adequate controls to prevent the loss.
While FACC officials said the company was targeted by outside attackers, “fake-president fraud” is not an uncommon scam, even for smaller firms.
"'Fake-president fraud,' recognized by the FBI as a type of business e-mail compromise (BEC), is a particularly pernicious scheme that utilizes fraudulent e-mail to impersonate the company president or C-suite executive and entice unwitting officials to wire or otherwise transfer funds to bank accounts belonging to criminals."1
How to avoid becoming a victim of the "fake-president fraud"
There are numerous controls that may be put in place to prevent a scam like this from occurring. As with most cyber related risks, combining Operational and IT controls with proper insurance coverage is a sound strategy. The June 14, 2016 FBI PSA noted a slew of ways to mitigate the exposure related to business email compromise risk. I’ve highlighted a few here for convenience:
- Provide staff with knowledge on how to identify scams and what to do when they encounter one.
- Avoid free web-based e-mail accounts (AOL, Gmail, Outlook, etc.): Establish a company domain name and use it instead of a free acount.
- Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
- Consider additional IT and financial security procedures, including the implementation of a 2-step verification process such as verbal authorization, digital signatures, etc.
- Consider implementing Two Factor Authentication (TFA) for corporate e-mail accounts. TFA mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to login: something you know (a password) and something you have (such as a dynamic PIN or code).
Despite implementing strong mitigation strategies, an incident resulting in a loss may still occur. It's important to note that social engineering fraud such as Business Email Compromise is not likely covered by your Cyber Liability policy. This coverage is often an add-on through a specific Funds Transfer or Social Engineering endorsement to your Crime policy.
It is critical that you and/or your board understand the various cyber risks the company faces and ensure that the organization is protected by the appropriate insurance coverage.
The FACC’s case is a relatively unique one with respects to the lawsuit against the CEO and CFO, but we are starting to see companies place more responsibility on those in charge of their IT and financial defenses. It will be interesting to see how this one plays out.
About the ALS Group
At The ALS Group, we work with a variety of different types of businesses to make sure they have appropriate cyber liability insurance coverage. If you have questions about managing your organization's Cyber Risk, or you would like more information, please contact us.