Slightly more than two weeks ago, when Vincent* came to work on a Sunday, it was business as usual – until he checked his email.
Vincent, who heads the finance department in a Dubai-based office, found in his inbox an email from his CEO, John Oliver*, asking him to process a payment of AED300,000.
Just to be sure, Vincent called his CEO and asked him what the payment was about. To his surprise, Mr Oliver replied that he had sent no such email and did not require Vincent to process any payment.
Traditional communication and a bit of fact-checking revealed that Mr Oliver’s email account had been hacked.
This, sadly, is not an isolated incident. Hackers have been getting smarter by the day and continuously come up with innovative ways to dupe individuals and organizations.
In this instance, the online scam artist had hijacked the chief executive’s email and asked for funds to be transferred, terming the transaction an “outstanding payment” to a bank account in the Jebel Ali, Dubai branch of a multinational bank.
However, Vincent nipped the fraudster’s plans in the bud; tables were turned as the company’s senior management interacted with the hacker, pretending that nothing was wrong.
Giving an impression that the CEO was traveling, Vincent replied: “Sir, is this a payment for X project? And when are you coming back to the UAE?”
The hacker mailed back almost immediately: “It’s an outstanding payment. I am very busy right now. I will share all the relevant papers on my return to the country.”
During the past week, the fake CEO continued to send emails asking for the payment. Finally, after playing along for a few days, the management notified the bank in the UAE mentioned in the email and officials began investigating the fraudster’s account details.
When TRENDS spoke to industry insiders, they noted that things like this have been happening in the region and even around the world. Generally, when an email comes from a C-suite manager, staff members act fast to address the issues raised and usually do not question the mail. Fraudsters are using this power play to extract money from companies by taking advantage of unsuspecting employees.
When contacted, the director of the Cybercrime division at Dubai Police, Lieutenant Colonel Saeed Al Hajri, said: “This is an international issue and is not limited to the UAE.”
Lt Col Al Hajri reveals that Dubai Police has received several complaints about conmen posing as members of the senior management of a company and asking for money. However, he adds that as these matters are under investigation, the details cannot be made public.
As companies make the shift toward cloud computing – and rightly so, given the numerous advantages of the move – there are risks involved, especially since more and more companies have shifted their email services to players such as Google’s Gmail.
The sales director at Credence Security, Garreth Scott, says the danger is that bigger companies are constantly under cyberattacks. There is an incentive for hackers to get past the security firewalls of IT firms such as Google, Microsoft and Apple, which may probably not be the case with lesser-known companies, he says.
Companies should do due diligence before availing the facilities of cloud servers, Scott warns, adding that one possible solution to the problem could be a regular changing of passwords.
Cybersecurity firm Norton by Symantec said in a recent research that more than two million people were affected by cybercrime in the UAE last year in incidents that resulted in losses worth AED5 billion.
Norton analyzed cybercrime across 17 markets including the UAE and pointed out that the amount lost to cybercriminals worldwide in 2014 stands at $150bn (AED550.5bn) – more than the combined GDPs of Bulgaria, Lebanon and Jordan.
Lt Col Al Hajri’s advice to businesses in the region is that companies can protect themselves against such breaches by enhancing their cybersecurity framework.
Meanwhile, raising awareness about cybercrime and web security through workshops will make people more vigilant about such threats, concludes Scott.
The multinational bank, whose account was used by the hacker in the case mentioned earlier, is under investigation.
*Names changed to protect individuals’ identities