December 1, 2020 by Jason Contant
About two years ago, Northbridge Financial Corporation’s chief financial officer Craig Pinnock received an email purportedly from Northbridge CEO Silvy Wright requesting help with a wire transfer.
“Silvy’s name’s there, Silvy’s signature, so I fire back quickly, ‘Sure, no problem. You have to tell me who you want it to go to and what it’s for,’” Pinnock recalled during an industry webinar last week. “I go back to working. I get another email probably three or four minutes later saying, ‘Craig, you said you’re able to send that wire transfer. Can we get that started?’”
Now a little annoyed, still thinking the email was coming from Wright, Pinnock repeated his request for more details. After getting a third email saying “I’d like to get that wire transfer sent,” Pinnock walked over to Silvy’s office beside his own.
“I said, ‘Silvy, if you need me to send a wire transfer, you’ve got to tell me who.’ In the middle of that, you see this blank face looking at me like, ‘What are you talking about?’”
Pinnock went back to his office and noticed when he hovered over the email address, it was not an internal email.
“I do believe our overall processes and protocols would never have let something bad happen, but in those first three exchanges, I was not thinking that this was somebody doing phishing,” Pinnock said Thursday during the Canadian Insurance Accountants Association’s CFO panel discussion, presented by PwC. “The first three exchanges, I’m thinking: It’s the CEO who’s asking me to do something, and I’m simply saying, ‘You’ve got to give me some information for something to get done.’”
Acknowledging that humans are the weak link, Northbridge ran internal sessions to remind employees not to provide information when they receive a wire transfer email. “If someone is asking for a change in payment instructions, you have to get a separate phone number, phone your contact, and have the dialogue,” Pinnock said. “Which feels like it’s a lot of work, but it is worth every moment of that lot of work.”
Northbridge also does cyber assessments with every business partner they exchange information with.
“I still get [phishing] emails that get to me,” Pinnock said. “We have a phishing button on our [Microsoft] Outlook. You click it and it will go out to our cyber unit.”
The cyber unit then does an assessment to help determine if the email is legitimate, or if it gets added to an algorithm that blocks it in the future.
Another panellist, Gareth Hill, vice president and CFO of Munich Re Canada, agreed that for phishing emails, the weakness in the system won’t be the computer. It will be the human somewhere in the chain.
“I’ve seen the stats from our IT department,” Hill said. “You’d be amazed how often people try to get access to your network. These criminals are incredibly intelligent and they are trying to find any weakness. I don’t think we’re at a level we’re happy with yet in terms of protecting from cyber risk.”
Hill shared the story of a lunchtime phone call he received from someone identifying themselves as Munich Re CEO Joachim Wenning. The caller told Hill, “There was a secret deal in Asia. It couldn’t be funded from the head office in Munich, and it had to be funded from my unit. So would it be possible for me to send tens of millions of dollars to a bank account?”
Hill wasn’t the CFO at the time, but he was with the then-CFO. His cyber training helped him to identify the scam.
“This person had an Italian accent, so it was pretty easy to tell it wasn’t Mr. Wenning,” Hill said. “I won’t forget it. It was an interesting call.”
Feature image via iStock.com/Chainarong Prasertthai