The FBI reports that between 2016 and 2019, CEO Fraud - also known as business email compromise, or BEC - resulted in $26 billion in losses for companies worldwide.

What Is CEO Fraud and How Does It Work?

CEO fraud is an increasingly common email scam in which an attacker targets or impersonates a C-level executive within an organization & tries to gain access to financial information or other sensitive data. Typically, the attacker aims to trick you into transferring money to a bank account owned by the attacker or to send confidential HR information or to reveal other sensitive information. The aim of these campaigns is to trick victims into sharing valuable data such as credit card information or bank account numbers via email or conducting fraudulent wire transfers. 

 

In this highly targeted form of attack, malicious actors research potential victims and their companies to learn as much as they can about who they are targeting, enabling them to craft highly convincing - and often successful - attack campaigns. The fraudulent emails sent in these campaigns urge recipients to take immediate action - either to share credentials that can provide attackers with access to corporate systems, provide sensitive information such as payroll or tax information or transfer money to a specific account controlled by the attackers. Because these attacks emphasize confidentiality and urgency, victims are often inclined to take action without checking to ensure that the request is legitimate.

 

What are CEO fraud attack methods?

Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it: 

1. Phishing

Phishing email is an attack variation sent to large numbers of email users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card providers, delivery firms, law enforcement, and the IRS are a few of the common names to fraud employees. If you do click on a link in a phishing email, you’ll usually be taken to a web page that looks like it belongs to your bank or credit card company or even PayPal. That page will ask you for your personal & financial information — maybe your account numbers or log in credentials, like your username & password.

2. Spear Phishing

This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. A Spear phishing email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client.

3. Executive Whaling

In case of whaling attack, the cyber security scammers target top executives and administrators, typically to siphon off money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.

4. Social Engineering

Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.

How to Prevent CEO Fraud?

Appropriate policies prevent the attack to some extent before it does any financial damage. Here are five things you can do immediately to defend against this so-called CEO Fraud:

1. Educate your employees about such threats and implement training programs around privacy and security. Employees must be vigilant about responding to requests for money transfers or for any sensitive information.

2. Layout & make it mandatory for accounts team to follow proper documentation and approvals for all wire transfers.

• Make sure that any wire transfer is associated with and maps to an actual purchase inside the accounting system (again, proper documentation).

• Determine if a separation of duty exists between the initiator and approver of wire transfers

• For large wire transfers, request that G&A add a phone call to the approval process

3. Educate employees to check for look-a-like domain names that are variations of your company name.

4. Add multifactor authentication to all key apps (including financial systems) so users can confirm they really are who they claim to be (e.g., when initiating a wire transfer).

5. If your company experiences an incident of BEC, report it to your local FBI or U.S. Secret Service field offices immediately.

 

Best Method: Prevent CEO Fraud with Guardian Digital EnGarde Cloud Email Security

Through a defense-in-depth approach to security, the use of the innovative, collaborative open-source development model and over two decades of industry experience, Guardian Digital EnGarde Cloud Email Security protects businesses in all industries from cyber security attacks like CEO fraud and other targeted, sophisticated email-borne threats.

 

EnGarde analyzes hundreds of thousands of attributes of each email that passes through its gateway, scanning all links and attachments for malicious code and analyzing the reputation of the sender to ensure that only safe, legitimate mail is delivered. 

 

EnGarde also implements multiple layers of advanced email authentication protocols to protect users from CEO fraud, email spoofing and other dangerous impersonation attacks. These protocols help assure that every email that reaches the inbox is from who it says it’s from - not a malicious actor claiming to be the sender. 

 

CEO fraud scams can have serious consequences for organizations including financial loss, significant downtime and reputation damage. How are you safeguarding your users, your data and your brand from CEO fraud and other email-borne threats?