CEO Mail Fraud and the lack of a “second factor” in Financial Transactions

Belgian newspapers are reporting that CEO e-mail fraud is on the rise. This is a form of e-mail fraud.

First, the hacker analyses a company structure to find out who’s responsible for the financial affairs. Then, they try to hack the mail system of the company. Pretending to be the CEO of the company, they ask the financial responsible to send a sum of money to a foreign bank account, for different company-related reasons.

If recent news has proven anything, it’s not even neccessary to hack the mail system to pretend to be someone who is relatively important to the financial guardian of the company. All it takes, is someone who is persuasive and convincing enough – and an employee who is guillable enough to fall for the trap.

This highlights the danger of consolidating too much responsibility into one place. Ideally, the person who has the authority to sign off on the money transfer should get the approval of someone else. After all, in many companies the CEO is just another employee.

Approving these kind of transactions through e-mail is insecure at best, anyway. That’s why more and more financial institutions are investing in technology that allows clients to better secure their accounts. The bank account our company is using requires two different signatures before a payment is made, for example. But that’s more due to the type of bank account we setup than a technical measure.

Regardless, companies should have policies in place for the approval of unusual financial actions. Perhaps they should consider setting up theit own internal “approval” system, protected with modern technologies such as two-factor authentication. Different sets of policies could be setup, E.G payments to employees only have to signed off by the Payroll department, whereas payments to foreign unknown accounts have to be signed off by at least three people.

While the software isn’t quite there yet, companies should look into developing practices like this. In an era where more and more “hackers” will attempt to steal both your money and data, it’s irresponsible to place too much responsibility for handling either of those in the hands of one person, without checks and balances.

I am not aware if such a system exists, but this could be an add-on to existing ERP and accounting systems, where the person who has to “sign off” on the transaction gets an alert and a request to approve the transaction. Signed with a two-factor authentication method, of course.