Today companies and their employees need to be very aware of potential online scam dangers. Cybercriminals have become very sophisticated not just regarding the technologies and software they are using, but also in being better able to impersonate legitimate entities and getting sensitive information from their victims.
One email scam where this is best shown is the CEO fraud, or BEC (Business Email Enterprise) fraud.
According to the FBI's Internet Crime Complaint Center (IC3) report, CEO fraud is responsible for $26 billion in reported losses between 2016 and 2019.
In 2019, the biggest number of IC3 complaints by state came from California (over 30,000), followed by Texas, New York and Florida (20,000 - 29,999). The total number of complaints the FBI received was 467,361, for over $3.5 billion.
According to the FBI, nearly half of those losses came from CEO fraud, or BEC, approximately $1.77 billion.
CEO fraud is an email scam in which a cybercriminal will impersonate someone in a high-ranking position within the company, such as the CEO and trick an employee, usually, someone in the HR or accounting department to transfer them money, typically via wire.
Of course, this is just the final touch, but in reality, the CEO fraud phishing is a lot more complicated than that.
Thus, this type of fraud requires a little bit more in-depth explanation as to how it works.
How Does CEO Fraud Work?
Companies from the United States are the most targeted by this type of fraud (37.4%), followed by Australia (23.6%), according to Statista.
The CEO fraud phishing essentially has four phases.
Finding the person to impersonate.
In the first phase, the cybercriminals conduct social engineering to find the best possible person in the company to try and impersonate.
Usually, they do this by closely monitoring any news the company posts on its website or social media. For instance, this may be a post by the CFO about his or her trip with the family to a remote location without access to a phone or computer.
Take a look here on how to securely email when working remotely.
Finding the employee to manipulate.
The next phase of the CEO fraud phishing attack is finding the right employee in the company to manipulate.
Again, this requires some more research from the criminals. "Ideally", this will be someone relatively new in the organization, who may not know everyone that well and has the authority to transfer money.
Manipulating the employee.
Once they've found the employee, the cybercriminal will proceed to try and manipulate them. They'll do this by contacting them via a spoof email address (so not the business or even the private email address the CEO would normally be using).
Usually, the email will:
- Have a brief introduction.
- Claim to be very urgent.
- Ask the employee to keep it confidential.
- And, will request either sensitive information, or a wire transfer from the employee.
Waiting for the employee's reaction
The whole idea of sending an urgent and highly confidential email (which " can't be explained to other superiors or colleagues") is to get the employee to perform the desired action (sending sensitive information or transferring money) without asking any questions and right away.
For example, an already very busy employee, who has three other things to do, might just do this without taking a second look at the email and keep on with the "more important tasks."
Or, a new employee could receive an email like it (not noticing the spoof email address) and figure out that this is the common practice in the company.
On top of that, an employee to whom the boss specifically says "do not share this with anyone" is often likely to do what the boss says, without question.
How to Prevent CEO Fraud?
Now that we explained what is CEO fraud and how it works, it's time to look at what companies and their employees (including the CEOs, of course) can do to protect against it.
So, how to prevent CEO fraud?
Companies looking to protect themselves against CEO fraud phishing should adopt a strong internal cyber-risk detection and prevention policy.
This policy should encompass all levels of the company from the CEO to the lowest employee, as well as all relevant departments, especially the HR, accounting and finance.
In this regard, employee training and education play an important role in recognizing malicious email scams like this one. Equally, important, however, is for the company to have an established procedure for similar requests that every employee should know from the beginning.
It's also a good idea to "test" the employees by sending them fake CEO fraud emails to see how they would act in the real situation. Think of these as "fire drills."
As for the employees, they should be trained to first confirm the details with the CEO, via phone or in person, or to do the same with another superior in case the CEO is not available. They should never act on the email without this confirmation, no matter how "urgent" or "confidential" it says it is.
Employees should also be educated not to open suspicious email attachments or click on links and to scrutinize emails. They should pay close attention to the email address and see if it is the same as the CEO normally uses or just resembles it. For example, an employee should look if the email domain is the right one.
Companies should also use multi-factor authentication, email filters have different permission levels for employees to better protect themselves against hackers and scammers. When it comes to wire transfers specifically, it's important to verify it with the person who is receiving the money and this is where a push notification can come in handy.
Finally, if not sure, ask:
- Is this an unusual request or is this common practice in the company?
- Has the CEO asked someone to do something similar for him before?
- Why are they not going through someone higher in the organization (the HR director, accounting director, CFO, etc.)?
Liverado is an encrypted email service that will protect your data from spying and online theft. It encrypts all your data both in transit and at rest and provides anti-phishing security exactly to prevent frauds like this one.