It doesn’t take much for employees to fall victim to CEO fraud.
All it takes is one savvy email that encourages an employee to act on behalf of their boss or manager. This email emphasizes, for example, how the employee will really be helping out both the boss and the company by paying a new third-party vendor.
Because the boss is traveling, the employee can’t easily confirm the request and since the email stressed how urgent the payment is, the employee makes the payment. The employee feels good about helping out their company and boss by acting quickly. Unfortunately, this employee and company were victimized by CEO fraud.
And according to the FBI, these types of cybercrimes are on the rise. Cybercriminals have developed slick social engineering and research techniques that allow them to target specific employees with CEO fraud scams.
The best way to prevent this type of fraud from hurting your organization is with security awareness training that puts an emphasis on teaching employees how cyberattacks like CEO fraud happen. The more knowledge and real-world context employees have, the easier it is for them to identify emails, text messages, and other social engineering tactics used to steal confidential information.
What is CEO Fraud?
CEO fraud is a sophisticated email scam that cybercriminals use to trick employees into transferring them money or providing them with confidential company information.
CEO fraud is a social engineering technique that relies on winning the trust of the email recipient. The cybercriminals behind it know that most people don’t look at email addresses very carefully or fail to notice small spelling errors.
Cybercriminals use email to impersonate the company CEO or other company executives and ask employees, typically in HR or accounting to help them out by sending a wire transfer, updating account information, or providing account details.
The Facts on CEO Fraud
The FBI and Internet Crime Complaint Center (IC3), reported on September 10, 2019 that CEO fraud is a $26 billion scam. The FBI reported that between June 2016 and July 2019 there were over 166,000 domestic and international reports of CEO fraud or Business Email Compromise (BEC) attacks.
That same day, the Department of Justice revealed that 281 people were arrested and $3.7 million was seized in an international cyber fraud crack-down called Operation reWired.
“In unravelling this complex, nationwide identity theft and tax fraud scheme, we discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in refunds,” said Chief Don Fort of IRS Criminal Investigation.” (Department of Justice press release)
This recent FBI data and arrests made in Operation reWired confirm that CEO fraud knows no boundaries or limits. Cybercriminals cast a wide net targeting a range of companies and individuals:
- Employees who regularly work with foreign suppliers and companies.
- Businesses that regularly send wire and electronic funds transfers.
- Human resources and payroll departments.
- The elderly and people who have made recent real estate purchases.
The size of your business, where you operate, or how many employees you have has zero bearing on your risk level for CEO fraud.
In its press release, the FBI emphasized that the best way for companies to remain protected from CEO fraud scams is to educate employees with preventative training that shows employees how easy it is become a victim of a cybercrime.
Ask These Questions to Prevent CEO Fraud
The right type of security awareness training empowers your employees to be proactive against cyberthreats like CEO fraud. Phishing simulations are proven to give employees real hands-on exposure and understanding of how cyber attacks like CEO fraud happen.
Employees learn how important it is to ask these questions to prevent CEO fraud:
- Has my CEO ever asked me to transfer money to a new account?
- Am I the right person to be handling this type of request? Shouldn’t the CFO or VP of HR be doing this?
- Why can’t the CEO do this herself? Is there a problem with our network that is preventing our CEO from getting access?
- Is this the type of request standard? Have I done this before?
- How can I contact someone at the vendor, bank, or partner that is mentioned in the email?
- Doesn’t this violate our company policy about sharing employee information?
- Is the email address correct? What happens when I click Reply – I need to verify that it’s a real company email address.
- Is there a phone number in the email signature? If so, call it and double-check the request with the sender.
Cybercriminals use strong language to convince the email victim to respond. And in some cases, will send multiple emails asking when the request will be completed and stress the importance of this action.
When employees know the tell-tale signs of a phishing attack, they are able to take the time to assess the situation and think twice before immediately responding or acting. To monitor internal company risk for CEO fraud and other phishing attacks, take advantage of our free phishing simulation trial.
How To Protect Your Organization From CEO Fraud
To protect your organization from CEO fraud you need to have a year-round cyber security awareness training and communication program that engages, educates, and empowers.
During the holidays, there is an increase in all forms of cyberattacks. Cybercriminals know that people are busy, trying to get the latest online deal, and are traveling – this is the ideal scenario for criminals who want to capitalize on human nature.
To protect your organization from CEO fraud, make these steps a priority:
Give your employees real-world cyber security awareness training that educates them on the risks of CEO fraud. Use phishing simulations, gamification, microlearnings, and internal communications such as newsletters and posters to educate employees on how CEO fraud happens.
Most employees don’t realize that they are at risk for a cyberattack. Give your employees cyber security training that puts an emphasis on awareness and changing human behavior. Provide your employees with the real facts on the damage that happens with cybercrimes like CEO fraud and phishing.
Provide consistent communication and campaigns about CEO fraud, phishing, social engineering, and cyber security. Use newsletters, posters, and internal cyber heroes to create a cyber-aware organization.
Cyber security awareness training is not a one-time thing. Encourage employees to regularly participate in phishing simulations and gamified training to monitor employee awareness and knowledge levels. Use this information to identify cyberthreat risks and to give employees the training and knowledge that resonates.
The threats of CEO fraud are real. The only way to protect against CEO fraud is to remember how critical your employees are in preventing cybercrime.
Use our free phishing simulation trial to monitor cyber security awareness levels and to kickstart a cyber security awareness training strategy.