CEO fraud is a sophisticated email scam that cybercriminals use to trick employees into transferring money or providing them with confidential company information.
Cyber criminals send savvy emails impersonating the company CEO or other company executives and ask employees, typically in HR or accounting, to help them by sending a wire transfer. Often referred to as Business Email Compromise (BEC), this cyber crime uses spoofed or compromised email accounts to trick email recipients into acting.
CEO fraud is a social engineering technique that relies on winning the trust of the email recipient. The cybercriminals behind CEO fraud know that most people don't look at email addresses very closely or notice minor differences in spelling.
These emails use familiar yet urgent language and clarify that the recipient is doing the sender a big favor by helping them out. Cybercriminals prey on the human instinct to trust one another and on the desire to want to help others.
CEO fraud attacks start with phishing, spear phishing, BEC, and executive whaling to impersonate company executives.
How Common is CEO Fraud?
CEO fraud is becoming an increasingly common type of cybercrime. Cybercriminals know that employees have busy inboxes, making it easy to catch people off-guard and convince them to respond.
According to the FBI and the Internet Crime Complaint Center (IC3), CEO fraud is a $26 billion scam. Research and statistics collected by the IC3 between October 2013 and July 2019 underscore the serious nature of CEO fraud:
166349
Domestic and international incidents
26
Domestic and international exposed dollar loss ($B)
69384
Total U.S. victims
10
Total U.S exposed dollar loss ($B)
3624
Total non-U.S. victims
1
Total non-U.S. exposed dollar loss ($B)
CEO fraud is a cybercrime that knows no boundaries. It has been reported in 50 US states and 150 countries, with wire transfers being sent to 115 different countries. CEO fraud is a global cybercrime that impacts all types and sizes of businesses.
Cyber security awareness training and continual education are instrumental in reminding employees of the importance of being cyber aware when it comes to emails and the inbox.
How Does CEO Fraud Happen?
Cybercriminals rely on four key tactics to commit CEO fraud:
Phishing
Depending on the phishing technique, the criminal might then use malware or another method to gain access to the CEO's email account, contact list, or confidential information that can then be used to send targeted CEO fraud emails to unsuspecting recipients.
Most CEO fraud schemes are simple. The attacker will start by looking up the name of a company’s CEO on Google and then use a marketing service, such as ZoomInfo or Lead411 to gather contracts in the company’s HR or finance department, depending on the scam they are attempting.
They will then send a batch of templated emails, usually from a free webmail account. The attacker only needs minimal research and focuses more on the volume of fraudulent emails they send than the qualit
Spear Phishing
Spear phishing attacks use very targeted emails against individuals and businesses. Before sending a spear phishing email, cyber criminals use the Internet to collect personal data about their targets, which is then used in the spear phishing email.
Recipients trust the email sender and request because it comes from a company they do business with or references an event they attended. The recipient is then tricked into providing the requested information, which is used to commit further cybercrimes, including CEO fraud.
Spear phishing can also happen via SMS. The attacker, posing as the CEO, will send their request via text to the employee’s personal mobile number. This information can be retrieved from LinkedIn or other platforms. This scam can succeed because it avoids corporate email controls and security systems. This CEO fraud scam mostly originates from Nigeria.
Social Engineering
Social engineering relies on the human instinct of trust to trick people into giving up confidential information. The cyber criminal wins the victim's trust and convinces them to provide the requested information or, for example, send them a wire transfer using carefully written emails, text messages, or phone calls.
Executive Whaling
Executive whaling is a cyber crime in which criminals impersonate company CEOs, CFOs, and other executives, hoping to trick victims into acting. The goal is to use the executive's authority or status to convince the recipient to respond quickly without verifying the request with another colleague.
Victims feel like they're doing something good by helping their CEO and company by, for example, paying a third-party company or uploading tax documents to a private server.
Deepfake CEO Voicemail Messages
A deepfake is an image, video, voice, or text created by AI. Attackers have recently been harnessing the power of AI tools to create fake voicemail messages that impersonate the CEO. They create audio clones that sound exactly like the company’s CEO to trick employees into sending money or personal data.
These CEO fraud techniques all rely on one key element—people are busy and don't pay full attention to emails, website URLs, text messages, or voicemail details. All it takes is that employees miss a spelling error or a slightly different email address, and the cyber criminal wins.
CEO Fraud Targets
As mentioned earlier, this scam is carried out by spoofing the email address of a company's CEO or other high-ranking executives and then sending fraudulent emails to employees to trick them into transferring money or sensitive information to the attacker.
The most common targets of CEO fraud are the following:
Finance
CEO fraudsters often target finance departments because they can access large sums of money. This means that if a fraudster can convince someone in the finance department to transfer money to them, they stand to make a lot of profit.
They also have a lot of information about the inner workings of a company. This information can be valuable to fraudsters who want to impersonate the CEO or another high-level executive to access sensitive company data.
Executive
CEO fraudsters often target executive departments because they have a lot of authority and responsibility. As a large department with many employees, it's easier for fraudsters to target multiple victims within the department. Executive departments also usually have access to large amounts of money, which makes them an attractive target for fraudsters.
HR
HR department employees have access to a company's entire employee database. This means that scammers can quickly gather the personal information they need to impersonate someone in a position of authority.
Additionally, HR departments handle sensitive information, such as payroll and benefits, as well as contact numbers of employees, which can be used to scam employees out of their hard-earned money and as an opportunity to build rapport and trust with their victims before attempting to defraud them.
IT
IT departments usually have direct access to company financial systems, which scammers can use to transfer funds or make other unauthorized transactions. For this reason, they are often targeted for CEO fraud, typically for accessing sensitive company information that scammers can use to their advantage.
IT departments are also among those sectors with high levels of expertise and knowledge about company operations, making them a valuable resource for scammers looking to exploit vulnerabilities.
Most Common CEO Fraud Scams
CEO fraud attacks have become increasingly common in recent years as criminals have become more sophisticated in their methods of deception. They can also take various forms, making them harder to identify and recognize.
Most CEO fraud attacks occur via email, a form of attack considered as a business email compromise (BEC). However, it’s worth noting that not all BEC is CEO fraud, as there are many other types of BEC.
The most common CEO fraud scams, in order of frequency, are the following:
In gift card scams, the scammer will contact the victim via call, text, email, or social media. They will employ tactics and scripts to get the victim to purchase a gift card from reputable retailers. When the victim makes a purchase, they will hand over the card number and PIN codes, but these aren’t legitimate gift cards and can’t be used.
Gift card scams can be broken down into three main lures:
- The attacker, posing as CEO, tells their employee they need a gift for a friend or relative’s birthday. A sad story about cancer, COVID-19, or a death in the family usually accompanies this.
- The attacker, posing as CEO, tells their employee they need gift cards to reward staff members. They usually tell the victim this should be kept confidential to avoid ruining the surprise.
- The attacker, posing as CEO, tells their employee they need gift cards to give to clients and may even mention a client presentation.
This type of CEO fraud is the most straightforward. The attacker, pretending to be the CEO, informs their employees that they have changed banks and need their direct deposit updated. While 90% of these scams use the CEO title to fool employees, some attackers use mid-level managers or front-line workers as their lure to evade email security.
One notable example of a CEO fraud attack occurred in 2015 when hackers impersonated a German software company SAP CEO, to trick employees into transferring $1.3 million to a bank account controlled by the attackers.
The hackers used email and social engineering techniques to convince the employees that they were legitimate. SAP later admitted that the attack could have been prevented if its employees had been more vigilant.
In another example, hackers impersonated the CEO of an American construction company to trick an employee into sending $28,000 to a fraudulent bank account. The employee became suspicious when the "CEO" asked for the money to be sent via wire transfer rather than using the company's standard payment methods, but by that time, it was too late, and the money had already been sent.
A fake invoice scam happens when a cyber criminal poses as one of the company’s suppliers. They tell a company employee that their payment details have changed and proceed to provide new account details and ask for payment urgently.
This type of CEO fraud primarily takes three forms:
- A bogus reply chain that appears that the CEO is being pestered by a legitimate company for payment. The CEO will then forward this chain to someone in the finance department and order them to issue the payment immediately.
- The attackers, posing as the CEO, claim that they owe an outside consultant money and ask an employee to pay the consultant today to avoid the payment being overdue.
- The attackers, posing as the CEO, claim the company is involved in M&A activity, but to avoid losing the deal, they must wire money immediately. The “CEO” might even request that the transaction be kept secret.
The aging report scam involves two steps. First, the attacker poses as the CEO and asks Accounts Receivable personnel for a copy of the A/R aging report. The cited reason is to do research.
Second, the attacker will pose as the AR clerk and contact all customers on the report. They proceed to ask them for payment, and if they respond, they will receive information that the company has updated their payment instructions. Sometimes, the customer is offered a 10-15% discount for prompt payment.
These examples illustrate how CEO fraud attacks can be challenging to detect, as criminals often use legitimate-looking email addresses and websites to fool victims.
How To Prevent CEO Fraud
CEO fraud has been on the rise in recent years, with businesses of all sizes falling victim. Fortunately, you can take steps to protect your business from CEO fraud.
Comprehensive Employee Education
Educate your employees about the CEO fraud tactics and train them according to their roles within the company. Employees in the finance department, for example, may need more training on recognizing fraudulent CEO requests. On the other hand, IT teams should be aware of the technical aspects of phishing attacks.
It’s also important to regularly update their training and knowledge. Conduct refresher courses to stay ahead of new fraud tactics. To keep employees engaged, consider using interactive modules, such as gamified learning experiences.
Advanced Security Awareness and Phishing Simulations
You can use free phishing simulation tools to educate and identify phishing, social engineering, and CEO fraud risks. Conduct phishing simulations regularly to help employees recognize and respond to actual threats.
Use proven security awareness training and phishing simulation platforms to keep CEO fraud attack risks top-of-mind for employees. Create internal cyber security heroes committed to keeping your organization cyber secure.
Proactive Monitoring and Microlearning
Remind your security leaders and cyber security heroes to monitor employee cyber security and fraud awareness with phishing simulation tools. Encourage them to use behavior analytics to monitor how employees interact with emails so they can identify vulnerabilities and identify training needs.
Take advantage of CEO fraud microlearning modules to educate, train, and change behavior. These can easily be deployed in response to emerging threats, allowing employees to stay updated.
Continuous Communication and Cyber Hygiene Practices
Provide ongoing communication and campaigns about cyber security, CEO fraud, and social engineering. This includes establishing strong password policies and reminding employees about the risks of emails, URLs, and attachments.
You can also send regular cyber security newsletters and alerts to keep employees’ knowledge up-to-date.
Strict Network Access and Device Management
Establish network access rules that limit the use of personal devices and the sharing of information outside your corporate network. Implement network segmentation strategies to help limit access to the company’s sensitive information.
Rigorous Software and Network Maintenance
Ensure that all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software—these are your last line of defense.
Ensure you regularly audit your software and network to identify and resolve potential vulnerabilities quickly. More importantly, have a backup and disaster recovery plan to mitigate the impact of any successful attacks.
Cyber Security Culture
Incorporate cyber security awareness campaigns, training, support, education, and project management into your corporate culture. Align our cyber security efforts with your overall business goals and objectives.
If you see fit, consider creating a dedicated team responsible for coordinating cyber security efforts across different departments.
Learn how important it is to change behaviors and empower employees to be the first line of defense against CEO fraud. Download and share this free ebook: The Human Fix to the Human Risk.
What is Phishing Simulation?
Phishing simulation is the best way to raise awareness and understanding of CEO fraud risks.
Phishing simulation uses real-world examples in an interactive format to identify which employees are at risk for CEO fraud scams and phishing.
CEO fraud relies on phishing techniques to gain access to the company email system and uses social engineering techniques to convince employees to act as requested.
People see first-hand how cybercriminals use savvy techniques to steal personal and corporate information. Real-time CEO fraud and phishing simulations are an accessible way for any organization to educate people and increase awareness of cybercrime scams and techniques.
Phishing simulation allows you to easily incorporate cyber security awareness training into your organization.
How Can Phishing Simulation Help Prevent CEO Fraud?
Phishing simulations are an accessible and informative way to show employees how easy it is to be a victim of CEO fraud.
Using real-world examples and simulated phishing attacks, employees realize why verifying email addresses and confirming requests for funds or tax information is vital before responding.
Phishing simulations empower your organization with 10 primary benefits against CEO fraud and other cyber security threats:
1. Measure the degrees of corporate and employee vulnerability
2. Eliminate the cyber threat risk level
3. Increase user alertness to CEO fraud, phishing, spear phishing, social engineering, and executive whaling risk.
4. Instill a cyber security culture and create cyber security heroes
5. Change behavior to eliminate the automatic trust response
6. Deploy targeted anti-phishing solutions
7. Protect valuable corporate and personal data
8. Meet industry compliance obligations
9. Assess the impacts of cyber security awareness training
10. Segment BEC and phishing simulation
Learn More About CEO Fraud
To learn more about CEO fraud and the best ways to keep your organization cyber security aware, take advantage of our free cyber security awareness resources:
Contact us at 1-866-889-5806 or at [email protected] to learn more about CEO Fraud.
Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.