Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Executive Spoofing Hits Close to Home
Sitting around a table outdoors, physical distancing with my family, the conversation turns to executive spoofing scams at work.
- Millennial works at a factory automation start- up: "Yeah, right. The CEO is sending me an email [snicker]."
- Millennial working in government contracting: "I get them all the time, sometimes from the CFO."
- Boomer works in software industry: "We got a warning just the other day that one is floating around. Don't send money."
We are talking about three businesses with employees numbered in the low hundreds. All privately held. Small fry, really. Every one of my family considers executive spoofing via phishing to be an everyday, ho-hum event.
Everyday, yes. Ho-hum, not so much. The FBI reports that 114,702 victims of phishing and its cousins vishing, pharming, and smishing lost almost $60 billion in 2019. Phishing is executed via email; vishing, via phone call or voicemail; pharming, via bogus websites; and smishing, via text message. Perpetrators request personal information or money. In addition, business email compromise (BEC), the foundational criminal act for executive spoofing of the sort my family members describe, resulted in more than $1.7 billion in losses related to 24,000 incidents in 2019, reports the FBI. The Association for Financial Professionals (AFP), in a survey of Treasury and finance professionals, found that BEC was the source of six in 10 fraud attempts in 2020.
A number of vendors offer products that use machine learning to fight these forms of fraud. Machine learning holds promise for automatically detecting these attacks. Nevertheless, as with much automation, the human being is the important last line of defense. A few days after that family meal, I see a scam alert. The gist: never, never, never will the Atlanta Fed president text me with a request to purchase $500 in gift cards.
The late Intel CEO Andy Grove said it perfectly: "Success breeds complacency. Complacency breeds failure. Only the paranoid survive." So please don't be ho-hum or complacent about these attacks and warn your family members and others.