Imagine that you are in charge of the administration in a large company. One day, while working your spreadsheets on the computer, the phone rings ... And this time it is not a routine call. Someone, on the other side of the line, identifies himself as a lawyer of a prestigious firm and announces that his company is about to embark on a very important confidential operation in which he will invest a considerable sum of money. The necessary documentation, they tell you, will arrive by email so that payments can be authorized as soon as possible. And indeed, as soon as you hang up, listen to the ping in your inbox.
How would you react?
The mafias that control the internet crime business bet because you will continue with the operation. Because yes, it is a manual scam . The same that suffered the EMT of Valencia last September and has left a hole of more than four million in their accounts.
It is the so-called CEO fraud , which has already become one of the most common cyber scams. In fact, the American FBI estimates that this practice, detected in at least 177 countries , reported criminals around 24,000 million euros between 2016 and 2019.
"We have two or three cases of this type of fraud every week," explains José Luis Jiménez, cybersecurity engineer at the Valencian company Nunsys . “They are the most common attacks for six months and affect companies of all kinds . I have had firms in Albacete that have made transfers of 13,000 euros, in Seville of 100,000 and in Malaga, 40,000 ».
And they always start the same way, with almost identical documents. “ They impersonate a lawyer from a large firm, copying their direct boss, whose address they have also falsified, and put pressure on who has the power to issue transfers,” says Jiménez.
Criminals do not have to work hard to find the information they need. " Social networks make it easier, " says Bosco Espinosa de los Monteros, presale director of the cybersecurity firm Kaspersky . «They can investigate the employees of a company without committing any crime. On Facebook you have your personal information and on LinkedIn, the professional: who are your partners, what project are you in, which department ... If you are not careful, they can even find your corporate email address ».
All this, adds Espinosa de los Monteros, could do it «any 14 year old child. It is not necessary to be a hacker ».
Once the ground is prepared, the attack begins. At the outset, they can steal the credentials of an account with privileges within the company, that of the same CEO or another manager. "This is how they see how they operate with their subordinates and also with the bank," says Jiménez. “They find out what procedures they use , and if there is a transfer request to be made with two joint signatures, they do. As they have entered the account and monitored their way of working, they can obtain the signatures they need from other transfers. With this, they falsify the PDF that goes to the bank ”, explains the Nunsys engineer. The accounts to which the stolen money will stop are usually in Hong Kong entities.
The other most common attack method uses social engineering. "They deceive the employee by presenting himself as a lawyer for Deloitte or another important firm and saying that it is something strictly confidential." Jiménez says. "They even send an email supplanting the identity of their superior within the company, ordering him to take care of that lawyer without delay."
Companies usually already have all kinds of technical measures to protect themselves, such as firewalls or antivirus. But preventing such fraud, Jiménez warns, requires "awareness" because, in the end, " people are the problem ."
It is necessary, in his opinion, "to establish double verification procedures, by telephone or by email, depending on the company and the volume of the transfers, so that there is a person who authorizes them."
Money, as can be assumed, is "unrecoverable" in most cases. “In companies that we have seen, international transfers have been made and it is very difficult to roll them back,” says Jiménez.
And what about the employee who authorizes the fraudulent payment? For Espinosa de los Monteros « it is one more victim . The first thing the police do is investigate it and it is usually dismissed immediately. As a company, you cannot afford that kind of holes ».
With information from Héctor Atienza
According to the criteria of The Trust Project
Know more- Valencian Community
- Valencia
CiudadValencia contemplates new increases in the rate of the terraces in the coming years
TemporalDana and 'Medicane' risk: Red alert in Alicante and Valencia due to torrential rains this morning
Courts Ask for jail for parents of 4-year-old girl who ingested cocaine