Whether you call it social engineering or phishing, the perpetrators of cyberscams are becoming increasingly sophisticated. Targeted attacks against the financial sector produce lucrative cash payloads for the criminals, and huge costs by way of regulatory fines and reputational damage to the victims. So, what does the chief financial officer (CFO) really need to know to mitigate the risk?
Hold on a minute, what has this got to do with the CFO anyway? Isn’t security the remit of the chief information security officer (CISO) or chief technology officer (CTO) instead? Yes, but the role of the CFO is more complex than ever, with financial oversight stretching beyond the alpha accountant stereotype and demanding a tech-savvy and security-aware incumbent. The dangers of ignoring this are regularly writ large across the cybersecurity threatscape.
Edward Whittingham, managing director at the Business Fraud Prevention Partnership, who provides GCHQ-certified security awareness training, recounts the story of a financial-sector client. “The fraudster impersonated an employee from the organisation’s bank claiming there were a number of fraudulent transactions taking place,” Mr Whittingham explains. “Despite being initially hesitant, the CFO then provided the fraudster with a variety of security information with the intention of stopping the alleged fraudulent transactions from taking place.” The cost to the organisation ended up being more than £50,000 fraudulently withdrawn from the bank.
This kind of scam is known as whaling, a targeted spear-phishing variant with the well-researched victim a member of the C-suite. It’s a tale that resonates with John Donaldson, CFO of payments compliance and data security specialists Semafone. “I have been targeted by whaling attacks after it became common industry knowledge that I had joined Semafone as CFO,” Mr Donaldson admits. He recalls various attempts to initiate money transfers that appeared to come for the chief executive, using spoofed email addresses. Social engineers are, as the name suggests, very adept at convincing people to ignore their doubts.
Take Tom Roberts, who is a “social engineer”. As a senior consultant at Pen Test Partners, he is what’s known as a white hat, tasked with uncovering human fallibilities within a business as part of a security-testing brief. He has hands-on knowledge of just where the softer internal processes sit within an organisation and reveals the main financial risks fall into three categories of old school, process weakness and new frontiers.
Senior management buy-in is vital in getting staff to take security seriously
Old school refers to the fact that some in the finance sector are notorious hoarders of paperwork to meet regulatory requirements or simply because full digital transformation is still a work in progress. “Documents are often left in open storage for ease of access, making them easy targets for snoops,” Mr Roberts warns.
Then there’s process weakness which is where the attacker has either learnt the processes of an organisation, or intuitively made successful inferences, and attempts to inject bogus documents into the flow. “These attacks get the victim to do the work for the attacker and follow all the normal process flows with small, barely noticeable, changes that result in payments being made to the wrong account,” he says.
New frontiers include synthetic identity fraud where organised gangs sell grown identities of fake individuals who have created a credit history over several years of small purchases and prompt payment. These enable the attacker to make one big hit and vanish, and as the person never actually existed it becomes even harder to trace them.
So how can the CFO mitigate the risk of falling victim to these cyberscammers?
Ning Wang, CFO at the hacker-powered security platform HackerOne, advises the development of a good process with appropriate level of internal control. “Set up dual control for payment processing, without any exception,” she says. “This means it takes one person to set up the payment and another to approve it.” Most importantly, never allow any exceptions to a process with proven good internal controls.
Jim Gee, head of forensics and counter fraud at Crowe Clark Whitehill, was the founding chief executive of the NHS Counter-Fraud Service and has advised ministers, parliamentary select committees and the attorney general, among others. He says the CFO and others in the C-suite should never post details online of when they will be out of the office, which could help sophisticated scammers to launch an attack. Mr Gee also advises the CFO “buys up domain names similar to the organisation’s so they cannot be used to create similar email addresses to those used by senior managers and directors”.
After hacking into a British Telecom computer system, Robert Schifreen was arrested back in 1985. His subsequent conviction on six counts of forgery was eventually overturned by the Court of Appeal and led to the introduction of the Computer Misuse Act in 1990. These days, he runs SecuritySmart which provides IT security-awareness training. Mr Schifreen concludes: “One of the best contributions that a CFO can make is to lend his or her name to any training or awareness campaigns. Senior management buy-in is vital in getting staff to take security seriously.”