Everyone wants to look good in front of their boss. Which is exactly why an urgent email from the CEO of your company is guaranteed to catch your attention. You’re more likely to act on the request immediately without questioning the details.
But what if that email didn’t come from your boss?
All it takes is one savvy email that encourages an employee to act on behalf of their team leader. For example, some CEO fraud emails would ask employees to help out both the boss and the company by paying a new third-party vendor.
Or transferring money to a different account number, conveniently given in the email.
Or buying a large number of gift cards as a surprise to employees.
CEO fraud emails usually come at around 4:30 pm, when employees are just about to finish their day. This way, they’re less likely to call or double-check with the CEO. Employees would also feel good about helping their company and boss by acting quickly.
CEO fraud is prevalent because it’s inexpensive to accomplish: 20 minutes of research on LinkedIn or the company website and a few emails are all it takes. It also has very high levels of success because it relies on our human desire to please others.
According to the FBI, these types of cybercrimes are on the rise. Cyber criminals have developed slick social engineering and research techniques to target specific employees with CEO fraud scams.
The best way to prevent this type of fraud from hurting your organization is with security awareness training that teaches employees how cyberattacks like CEO fraud happen.
The more knowledge and real-world context employees have, the easier it is to identify emails, text messages, and other social engineering tactics used to steal confidential information.
What is CEO Fraud?
CEO fraud is a sophisticated email scam that cyber criminals use to trick employees into transferring money or providing them with confidential company information.
CEO fraud is a social engineering technique that relies on winning the trust of the email recipient. The cyber criminals behind it know that most people don’t look at email addresses very carefully or fail to notice minor spelling errors.
Cyber criminals use email to impersonate the company CEO or other company executives and ask employees, typically in HR or accounting, to help them by sending a wire transfer, updating account information, or providing account details.
Increasingly, gift card scams are associated with CEO fraud because they are impossible to trace once sent to the recipient. These scams might also not be CEO-specific. Scammers could impersonate someone lower, like an HR manager, so the employee has even less suspicion.
The Facts on CEO Fraud
In 2021 alone, the FBI said BEC attacks were responsible for $1.8 billion in losses.
A few years ago, a famous case of CEO fraud made the news in Canada in 2019 when the Treasurer of the City of Ottawa wired over $100,000 to a scammer’s account following a fake email from the city manager.
She received a second fraudulent email just a week later, this time for $150,000. Thankfully, the email arrived during a meeting with the city manager, and she verified the transfer in person. That’s when she realized her mistake and notified the authorities.
Just a year later, in 2020, the government of Puerto Rico lost over $2.6 million in a similar attack when their finance director answered an email asking him to transfer the funds to a supposed new government account. This shows this type of attack is still common, and many employees still need training.
The social engineering techniques and other tricks employed in this type of scam are constantly evolving. Cyber criminals cast a wide net targeting a range of companies and individuals:
- Employees who regularly work with foreign suppliers and companies.
- Businesses that periodically send wire and electronic funds transfers.
- Human resources and payroll departments.
- The elderly and people who have made recent real estate purchases.
- The size of your business, where you operate, or how many employees you have has zero bearing on your risk level for CEO fraud.
- In its press release, the FBI emphasized that the best way for companies to remain protected from CEO fraud scams is to educate employees with preventative training that shows employees how easy it is to become a victim of a cybercrime.
Ask These Questions to Prevent CEO Fraud
The right security awareness training empowers employees to be proactive against cyber threats like CEO fraud. Phishing simulations give employees real hands-on exposure and an understanding of how cyber attacks like CEO fraud happen.
Employees learn how important it is to ask these questions to prevent CEO fraud:
- Has my CEO ever asked me to transfer money to a new account?
- Am I the right person to be handling this type of request? Shouldn’t the CFO or VP of HR be doing this?
- Why can’t the CEO do this herself? Is a problem with our network preventing our CEO from getting access?
- Is this type of request standard? Have I done this before?
- Can I contact someone at the vendor, bank, or partner that is mentioned in the email?
- Doesn’t this violate our company policy about sharing employee information?
- Is the email address correct? When I click Reply – I need to verify that it’s an actual company email address.
- Is there a phone number in the email signature? If so, call it and double-check the request with the sender.
Cyber criminals often use strong language to convince the email victim to respond. The timeline to execute this action will also be short, and the task urgent. And in some cases, cyber criminals will send multiple emails asking when the request will be completed and stressing the importance of this action.
When employees know the tell-tale signs of a phishing attack, they can take the time to assess the situation and think twice before immediately responding or acting. Take advantage of our free phishing simulation trial to monitor internal company risk for CEO fraud and other phishing attacks.
How To Protect Your Organization From CEO Fraud
To protect your organization from CEO fraud, you must have a year-round cyber security awareness training and communication program that engages, educates, and empowers.
Stay aware of the time of the year. The holidays and preceding fiscal year-end months are prime time for these frauds. Cyber criminals know that people are traveling, trying to get the latest online deal, or stressed about finishing tax documents – this is the ideal scenario for criminals who want to capitalize on human nature.
To protect your organization from CEO fraud, make these steps a priority:
Education
Give your employees real-world cyber security awareness training that educates them on the risks of CEO fraud. Use phishing simulations, gamification, microlearning modules, and internal communications such as newsletters and posters to educate employees on how CEO fraud happens.
Awareness
Most employees don’t realize that they are at risk for a cyberattack. Give your employees cyber security training that emphasizes awareness and changing human behavior. Provide your employees with the facts on the damage that happens with cybercrimes like CEO fraud and phishing.
Communication
Provide consistent communication and campaigns about CEO fraud, phishing, social engineering, and cyber security. Use newsletters, posters, and internal cyber heroes to create a cyber-aware organization.
Software
Most popular email software allows emails from outside the network to be tagged as external either in the title or in the mailbox itself. A visual reminder for the employee to ask themselves questions before answering is often the best way to ensure the education is put to use.
Monitoring
Cyber security awareness training is not a one-time thing. Encourage employees to participate regularly in phishing simulations and gamified training to monitor employee awareness and knowledge levels. Use this information to identify cyber threat risks and to give employees the training and knowledge that resonates.
Guardrails
Even with the best training, slip-ups can happen. Consider measures around wire transfers and company purchases. Make it a policy that the person who created the wire transfer needs the approval of another before sending it. Or require a form to be filled and reviewed.
Stop CEO Fraud right at first contact
CEO Fraud is difficult to squash because it relies on core human behaviors. The social engineering techniques used are highly advanced, and the task asked in the email is often a routine one on the long list of an office worker.
This form of cyber attack is here to stay because it’s inexpensive and easy to execute with massive potential rewards. The most common way these attacks get thwarted is when the victim double-checks in person with their superior. This means the recent increase in remote workers worldwide will also inevitably lead to these attacks rising.
The behaviors that lead to CEO fraud are easily changed. If a cyber security awareness culture is implemented, there is no reason for cyber attacks to succeed within your organization. Will your users click on a phishing link?
The 2022 Phishing Benchmark Global Report
Download our latest report to get fresh phishing benchmarking data and to see how your sector performed in the recent Gone Phishing Tournament.