CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives - Especially the Chief Executive Office (CEO) -to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information. Before you read any further, get the CEO Fraud Prevention Manual for later.
The FBI calls this type of scam "Business Email Compromise" and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
In the time period from January 2015 to June 2016, the FBI reported a 1300% rise in losses from this type of fraud, and in some cases significantly efffecting their market share. Most victims are in the US (all 50 states), but companies in 100 other countries have also reported incidents. While the fraudulent transfers have been sent to 79 countries, most end up in China and Hong Kong. Unless the fraud is spotted within 24 hours, the chances of recovery are small.
4 Attack Methods
Prevention from this fraud requires understanding its various attack vectors. This is how cybercriminals do it:
Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card providers, delivery firms, law enforcement, and the IRS are a few of the common ones. A phishing campaign typically shoots out emails to huge numbers of users. Most of them are to people who don’t use that bank, for example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.
- Spear Phishing
This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. The email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client.
- Executive Whaling
Here, the bad guys target top executives and administrators, typically to siphon off money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.
- Social Engineering
Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
Can your email address be spoofed?
Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby. Find out today if your domain can be spoofed!
5 Scenarios of Common CEO Fraud Attacks
- Business working with a foreign supplier: This scam takes advantage of a long-standing wire-transfer relationship with a supplier, but asks for the funds to be sent to a different account.
- Business receiving or initiating a wire transfer request: By compromising and/or spoofing the email accounts of top executives, another employee receives a message to transfer funds somewhere, or a financial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address.
- Business contacts receiving fraudulent correspondence: By taking over an employee’s email account and sending invoices out to company suppliers, money is transferred to bogus accounts.
- Executive and attorney impersonation: The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters.
- Data theft: Fraudulent emails request either all wage or tax statement (W-2) forms or a company list of personally identifiable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, accounts or auditing departments.
Who Are the Main Targets of CEO Fraud?
The CEO isn't always the one in a criminal’s crosshairs. There are four other groups of employees considered valuable targets given their roles and access to funds/information:
The finance department is especially vulnerable in companies that regularly engage in large wire transfers. All too often, sloppy internal policies only demand an email from the CEO or other senior person to initiate the transfer. Cybercriminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. They mirror the usual wire transfer authorization protocols, hijack a relevant email account and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorized to transfer funds.
Human Resources represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organization, manages the employee database and is in charge of recruitment. As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering activities. In addition, W2 and PII scams have become more commonplace. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email addresses to criminal organizations.
Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority. If their email accounts are hacked, it generally provides cybercriminals access to all kinds of confidential information, not to mention intelligence on the type of deals that may be ongoing. Thus executive accounts must receive particular attention from a security perspective.
The IT manager and IT personnel with authority over access controls, password management and email accounts are further high-value targets. If their credentials can be hacked, they gain entry to every part of the organization.
CEO fraud is responsible for over $3 billion in losses. Don’t be next victim. This manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.
When we come across any virus and malware defense, we merely regard it as a technical problem. In some organizations, the post of Chief Information Security Officers (CISO) does exist. However, any information security challenge is often thought of as a challenge below board of directors attention.
In recent years, many companies have been warned by FBI about the risk. Companies have to integrate cyber risk management as part of their daily business routine under the guidance of their CEO.
Also, companies must take appropriate measures to mitigate risk of breaches. Of course, blaming it on IT is not a valid excuse. After any data breach, the CEO (or executive responsible e.g Chief Operating Officer, or Managing Director) must restore normal operations and ensure protection of company’s assets and its reputation. Failure to do so will result in legal action.
Let’s phrase it like this: a cyber-breach can result in loss of a bid on a large contract as well as loss of revenue. This means that cyber security should be at the top of your priorities.