Everyone wants to look good in front of their boss. It’s human nature. That’s why an urgent email from the CEO of your company is guaranteed to catch your attention. You’re also more likely to act on the request immediately without questioning the details.

But what if that email didn’t come from your boss?

All it takes is one savvy email that encourages an employee to act on behalf of their boss or manager. This email emphasizes, for example, how the employee will be helping out both the boss and the company by paying a new third-party vendor.

Or transfer money to a different account number, conveniently given in the email.

Or buying a large number of gift cards as a surprise to employees.

The email usually comes in around 4:30 pm or so, when the employee is finishing their day. This way, they’re less likely to call or double-check with the CEO. The employee will also feel good about helping out their company and boss by acting quickly.

CEO fraud is prevalent because it’s inexpensive to accomplish: 20 minutes of research on LinkedIn or the company website and a few emails is all it takes. It also has very high levels of success because it relies on our human desire to please.

According to the FBI, these types of cybercrimes are on the rise. Cyber criminals have developed slick social engineering and research techniques to target specific employees with CEO fraud scams.

The best way to prevent this type of fraud from hurting your organization is with security awareness training that emphasizes teaching employees how cyberattacks like CEO fraud happen.

The more knowledge and real-world context employees have, the easier it is to identify emails, text messages, and other social engineering tactics used to steal confidential information.

What is CEO Fraud?

CEO fraud is a sophisticated email scam that cyber criminals use to trick employees into transferring money or providing them with confidential company information.

CEO fraud is a social engineering technique that relies on winning the trust of the email recipient. The cyber criminals behind it know that most people don’t look at email addresses very carefully or fail to notice minor spelling errors.

Cyber criminals use email to impersonate the company CEO or other company executives and ask employees, typically in HR or accounting, to help them out by sending a wire transfer, updating account information, or providing account details.

Increasingly, gift card scams are associated with CEO fraud because they are essentially impossible to trace once they’ve been sent to the recipient. These scams might also not be CEO-specific. Scammers could impersonate someone lower, like an HR manager, so the employee has even less suspicion.

The Facts on CEO Fraud

The FBI and Internet Crime Complaint Center (IC3) reported on September 10, 2019, that CEO fraud is a $26 billion scam. Between June 2016 and July 2019, the FBI reported over 166,000 domestic and international reports of CEO fraud or Business Email Compromise (BEC) attacks.

That same day, the Department of Justice revealed that 281 people were arrested, and $3.7 million was seized in an international cyber fraud crack-down called Operation reWired.

“In unraveling this complex, nationwide identity theft and tax fraud scheme, we discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in refunds,” said Chief Don Fort of IRS Criminal Investigation.” (Department of Justice press release)

A famous case of CEO fraud made the news in Canada in 2019 when the Treasurer of the City of Ottawa wired over $100,000 to a scammer’s account following a fake email from the city manager.

She received a second fraudulent email just a week later, this time for $150,000. Thankfully, the email arrived during a meeting with the city manager, and she verified the transfer in person. That’s when she realized her mistake and notified the authorities

The social engineering techniques and other tricks employed in this type of scam are constantly evolving. Cyber criminals cast a wide net targeting a range of companies and individuals:

  • Employees who regularly work with foreign suppliers and companies.
  • Businesses that regularly send wire and electronic funds transfers.
  • Human resources and payroll departments.
  • The elderly and people who have made recent real estate purchases.
  • The size of your business, where you operate, or how many employees you have has zero bearing on your risk level for CEO fraud.

In its press release, the FBI emphasized that the best way for companies to remain protected from CEO fraud scams is to educate employees with preventative training that shows employees how easy it is to become a victim of a cybercrime.

Ask These Questions to Prevent CEO Fraud

The right type of security awareness training empowers your employees to be proactive against cyber threats like CEO fraud. Phishing simulations are proven to give employees real hands-on exposure and understanding of how cyber attacks like CEO fraud happen.

Employees learn how important it is to ask these questions to prevent CEO fraud:

  • Has my CEO ever asked me to transfer money to a new account?
  • Am I the right person to be handling this type of request? Shouldn’t the CFO or VP of HR be doing this?
  • Why can’t the CEO do this herself? Is there a problem with our network that is preventing our CEO from getting access?
  • Is this type of request standard? Have I done this before?
  • Can I contact someone at the vendor, bank, or partner that is mentioned in the email?
  • Doesn’t this violate our company policy about sharing employee information?
  • Is the email address correct? When I click Reply – I need to verify that it’s an actual company email address.
  • Is there a phone number in the email signature? If so, call it and double-check the request with the sender.

Cyber criminals often use strong language to convince the email victim to respond. The timeline to execute this action will also be short and the task urgent. And in some cases, cyber criminals will send multiple emails asking when the request will be completed and stress the importance of this action.

When employees know the tell-tale signs of a phishing attack, they can take the time to assess the situation and think twice before immediately responding or acting. To monitor internal company risk for CEO fraud and other phishing attacks, take advantage of our free phishing simulation trial.

How To Protect Your Organization From CEO Fraud

To protect your organization from CEO fraud, you need to have a year-round cyber security awareness training and communication program that engages, educates, and empowers.

Stay aware of the time of the year. The holidays and preceding fiscal year-end months are prime time for these types of frauds. Cyber criminals know that people are traveling, trying to get the latest online deal, or stressed about finishing tax documents – this is the ideal scenario for criminals who want to capitalize on human nature.

To protect your organization from CEO fraud, make these steps a priority:

1. Education

Give your employees real-world cyber security awareness training that educates them on the risks of CEO fraud. Use phishing simulations, gamification, microlearning modules, and internal communications such as newsletters and posters to educate employees on how CEO fraud happens.

2. Awareness

Most employees don’t realize that they are at risk for a cyberattack. Give your employees cyber security training that puts an emphasis on awareness and changing human behavior. Provide your employees with the facts on the damage that happens with cybercrimes like CEO fraud and phishing.

3. Communication

Provide consistent communication and campaigns about CEO fraud, phishing, social engineering, and cyber security. Use newsletters, posters, and internal cyber heroes to create a cyber-aware organization.

4. Software

Most popular email software allows for emails from outside the network to be tagged as external either in the title or in the mailbox itself. A visual reminder for the employee to ask themselves questions before answering is often the best way to ensure the education is put to use

5. Monitoring

Cyber security awareness training is not a one-time thing. Encourage employees to regularly participate in phishing simulations and gamified training to monitor employee awareness and knowledge levels. Use this information to identify cyber threat risks and to give employees the training and knowledge that resonates.

6. Guardrails

Even with the best training, slip-ups can happen. Consider putting in place measures around wire transfers and company purchases. For example, make it a policy that the person who created the wire transfer needs the approval of another before actually sending it. Or require a form to be filled and reviewed before any company purchase is made.

Recap

This scam is particularly difficult to squash because it relies on core human behaviors. The social engineering techniques used are highly advanced, and the task asked in the email is often a routine one on the long list of an office worker.

CEO fraud is here to stay because it’s inexpensive and easy to execute with massive potential rewards. The most common way these attacks get thwarted is when the victim double-checks in person with their superior. This means the recent increase in remote workers worldwide will also inevitably lead these types of attacks to be on the rise.

 


Use our free phishing simulation trial to monitor cyber security awareness levels and to kickstart a cyber security awareness training strategy.