What is CEO Fraud?
CEO fraud is a sophisticated email scam that cybercriminals use to trick employees into transferring money or providing them with confidential company information.
Cyber criminals send savvy emails impersonating the company CEO or other company executives and ask employees, typically in HR or accounting, to help them by sending a wire transfer. Often referred to as Business Email Compromise (BEC), this cyber crime uses spoofed or compromised email accounts to trick email recipients into acting.
CEO fraud is a social engineering technique that relies on winning the trust of the email recipient. The cybercriminals behind CEO fraud know that most people don't look at email addresses very closely or notice minor differences in spelling.
These emails use familiar yet urgent language and clarify that the recipient is doing the sender a big favor by helping them out. Cybercriminals prey on the human instinct to trust one another and on the desire to want to help others.
CEO fraud attacks start with phishing, spear phishing, BEC, and executive whaling to impersonate company executives.
How Common is CEO Fraud?
CEO fraud is becoming an increasingly common type of cybercrime. Cybercriminals know that everyone has a full inbox, making it easy to catch people off-guard and convince them to respond.
According to the FBI and the Internet Crime Complaint Center (IC3), CEO fraud is a $26 billion scam. Research and statistics collected by the IC3 between October 2013 and July 2019 underscore the serious nature of CEO fraud:
Cyber security awareness training and continual education are instrumental in reminding employees of the importance of being cyber aware when it comes to emails and the inbox.
How Does CEO Fraud Happen?
Cybercriminals rely on four key tactics to commit CEO fraud:
Depending on the phishing technique, the criminal might then use malware or another method to gain access to the CEO's email account, contact list, or confidential information that can then be used to send targeted CEO fraud emails to unsuspecting recipients.
Social engineering relies on the human instinct of trust to trick people into giving up confidential information. Using carefully written emails, text messages, or phone calls, the cybercriminal wins the victim's trust and convinces them to provide the requested information or, for example, send them a wire transfer. To be successful, social engineering only needs one thing: the victim's trust.
Spear phishing attacks use very targeted emails against individuals and businesses. Before sending a spear phishing email, cyber criminals use the Internet to collect personal data about their targets, which is then used in the spear phishing email.
Recipients trust the email sender and request because it comes from a company they do business with or references an event they attended. The recipient is then tricked into providing the requested information, which is used to commit further cybercrimes, including CEO fraud.
Executive whaling is a cyber crime in which criminals impersonate company CEOs, CFOs, and other executives, hoping to trick victims into acting. The goal is to use the executive's authority or status to convince the recipient to respond quickly without verifying the request with another colleague.
Victims feel like they're doing something good by helping their CEO and company by, for example, paying a third-party company or uploading tax documents to a private server.
CEO Fraud Targets
As mentioned earlier, this scam is carried out by spoofing the email address of a company's CEO or other high-ranking executives and then sending fraudulent emails to employees to trick them into transferring money or sensitive information to the attacker.
The most common targets of CEO fraud are the following:
CEO fraudsters often target finance departments because they can access large sums of money. This means that if a fraudster can convince someone in the finance department to transfer money to them, they stand to make a lot of profit.
They also have a lot of information about the inner workings of a company. This information can be valuable to fraudsters who want to impersonate the CEO or another high-level executive to gain access to sensitive company data.
HR department employees have access to a company's entire employee database. This means that scammers can quickly gather the personal information they need to impersonate someone in a position of authority.
Additionally, HR departments handle sensitive information, such as payroll and benefits, as well as contact numbers of employees, which can be used to scam employees out of their hard-earned money and as an opportunity to build rapport and trust with their victims before attempting to defraud them.
CEO fraudsters often target executive departments because they have a lot of authority and responsibility. And as a large department with many employees, it's easier for fraudsters to target multiple victims within the department. Executive departments also usually have access to large amounts of money, which makes them an attractive target for fraudsters.
IT departments usually have direct access to company financial systems, which scammers can use to transfer funds or make other unauthorized transactions. For this reason, they are often targeted for CEO fraud, typically for accessing sensitive company information that scammers can use to their advantage.
IT departments are also among those sectors with high levels of expertise and knowledge about company operations, making them a valuable resource for scammers looking to exploit vulnerabilities.
What Are Some Examples of CEO Fraud Attacks?
CEO fraud attacks have become increasingly common in recent years as criminals have become more sophisticated in their methods of deception.
One notable example of a CEO fraud attack occurred in 2015 when hackers impersonated the CEO of the German software company SAP to trick employees into transferring $1.3 million to a bank account controlled by the attackers.
The hackers used email and social engineering techniques to convince the employees that they were legitimate. SAP later admitted that the attack could have been prevented if its employees had been more vigilant.
In another example, hackers impersonated the CEO of an American construction company to trick an employee into sending $28,000 to a fraudulent bank account. The employee became suspicious when the "CEO" asked for the money to be sent via wire transfer rather than using the company's normal payment methods, but by that time, it was too late, and the money had already been sent.
These examples illustrate how CEO fraud attacks can be challenging to detect, as criminals often use legitimate-looking email addresses and websites to fool victims.
How To Prevent CEO Fraud
CEO fraud has been on the rise in recent years, with businesses of all sizes falling victim. Fortunately, you can take steps to protect your business from CEO fraud.
1. Educate your employees about the four CEO fraud tactics. There are free phishing simulation tools you can use to educate and identify phishing, social engineering, and CEO fraud risk.
2. Use proven security awareness training and phishing simulation platforms to keep CEO fraud attack risks top-of-mind for employees. Create internal cyber security heroes who are committed to keeping your organization cyber secure.
3. Remind your security leaders and cyber security heroes to monitor employee cyber security and fraud awareness with phishing simulation tools. Take advantage of CEO fraud microlearning modules to educate, train, and change behavior.
4. Provide ongoing communication and campaigns about cyber security, CEO fraud, and social engineering. This includes establishing strong password policies and reminding employees about the risks of emails, URLs, and attachments.
5. Establish network access rules that limit the use of personal devices and the sharing of information outside your corporate network.
6. Ensure that all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software—these are your last line of defense.
7. Incorporate cyber security awareness campaigns, training, support, education, and project management into your corporate culture.
Learn how important it is to change behaviors and empower employees to be the first line of defense against CEO fraud. Download and share this free ebook: The Human Fix to the Human Risk.
What is Phishing Simulation?
Phishing simulation is the best way to raise awareness and understanding of CEO fraud risks.
Phishing simulation uses real-world examples in an interactive format to identify which employees are at risk for CEO fraud scams and phishing.
CEO fraud relies on phishing techniques to gain access to the company email system and uses social engineering techniques to convince employees to act as requested.
People see first-hand how cybercriminals use savvy techniques to steal personal and corporate information. Real-time CEO fraud and phishing simulations are an accessible way for any organization to educate people and increase awareness of cybercrime scams and techniques.
Phishing simulation allows you to incorporate cyber security awareness training into your organization easily.
How Can Phishing Simulation Help Prevent CEO Fraud?
Phishing simulations are an accessible and informative way to show employees how easy it is to be a victim of CEO fraud.
Using real-world examples and simulated phishing attacks, employees realize why verifying email addresses and confirming requests for funds or tax information is important before responding.
Phishing simulations empower your organization with 10 primary benefits against CEO fraud and other cyber security threats:
1. Measure the degrees of corporate and employee vulnerability
2. Eliminate the cyber threat risk level
3. Increase user alertness to CEO fraud, phishing, spear phishing, social engineering, and executive whaling risk.
4. Instill a cyber security culture and create cyber security heroes
5. Change behavior to eliminate the automatic trust response
6. Deploy targeted anti-phishing solutions
7. Protect valuable corporate and personal data
8. Meet industry compliance obligations
9. Assess the impacts of cyber security awareness training
10. Segment BEC and phishing simulation
To learn more about CEO fraud and the best ways to keep your organization cyber security aware, take advantage of our free cyber security awareness resources:
Contact us at 1-866-889-5806 or at [email protected] to learn more about CEO Fraud.
Terranova Security is committed to delivering people-centric training that makes your organization cyber security aware.