CEO Fraud is a scam where cybercriminals spoof company email accounts and impersonate executives to try and fool employees into executing unauthorized wire transfers or sending them confidential tax information. It takes aim at personally identifiable information, rather than merely tricking accounting staff into scheduling fraudulent wire transfers.
CEO Fraud is a form of Business Email Compromise (BEC) where a cybercriminal impersonates a high-level executive (often the CEO). Once they convince the recipient of the email (employee, customer or vendor) that they are legitimate, they then attempt to get them to transfer funds or confidential information. BEC attacks are also called whaling or man-in-the-email. They are a way of tricking employees into turning large amounts of money over to cyber attackers.
Successful CEOs have been fired because of CEO Fraud. Stock prices have collapsed. IPOs and mergers have been taken off the table. CEO Fraud has victimized more than 22,000 organizations worldwide and is responsible for losses of more than $3 billion. And now we are seeing it in Southeast Texas!
There Are 4 Attack Methods For CEO Fraud Happening Now In SE Texas:
1. Phishing. Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
2. Spear Phishing. This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
3. Executive Whaling. The bad guys target top executives and administrators, typically to siphon off money from accounts or steal confidential data.
4. Social Engineering. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
Who Is At Risk Of CEO Fraud?
The CEO isn’t always the one in a criminal’s crosshairs. There are four other groups of employees who are considered valuable targets given their roles and access to funds and confidential information.
1. Finance. The finance department is especially vulnerable in companies that regularly engage in large wire transfers.
2. Human Resources. HR represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organization, manages the employee database and is in charge of recruitment.
3. The Executive Team. Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority.
4. IT Management. The IT manager and IT personnel with authority over access controls, password management, and email accounts are also high-value targets.
How Can You Prevent CEO Fraud? Follow These 8 Prevention Steps
(Many of these steps must dovetail closely together as part of an effective prevention program. )
1. Identify Your High-Risk Users
These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas.
- Review social/public profiles for job duties/descriptions, hierarchal information, out of office detail, or any other sensitive corporate data.
- Identify any publicly available email addresses and lists of connections.
2. Institute Technical Controls
- Email filtering
- Two-factor authentication
- Automated password and user ID policy enforcement
- Comprehensive access and password management
- Whitelist or blacklist external traffic
- Patch/update all IT and security systems
- Manage access and permission levels for all employees.
- Review existing technical controls and take action to plug any gaps.
3. Set A Security Policy
Every organization should set a security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:
- Not opening attachments or clicking on links from an unknown source.
- Not using USB drives on office computers.
- A Password Management Policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.).
- Required security training for all employees.
- A review of policies on Wi-Fi access. Include contractors and partners as part of this if they need wireless access when onsite.
4. Develop Standard Procedures
IT should have measures in place to:
- Block sites that are known to spread ransomware.
- Keep software patches and virus signature files up-to-date.
- Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines.
- Conduct regular penetration tests on Wi-Fi and other networks to see just how easy it is to gain entry.
- Utilize Domain Spoof Protection
- Create intrusion detection system rules that flag emails with extensions that are similar to company emails.
5. Cyber-Risk Planning
- Develop a comprehensive cyber-incident response plan and test it regularly. Augment the plan based on results.
- Executive leadership must be well informed about the current level of risk and its potential business impact.
- Management must know the volume of cyber incidents detected each week and of what type.
- Understand what information you need to protect. Identify the corporate “crown jewels,” how to protect them and who has access.
- A policy should be established as to thresholds and types of incidents that require reporting to management.
- Cyber-risk MUST be added to existing risk management and governance processes.
- Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
- Consider obtaining comprehensive cybersecurity insurance that covers various types of data breaches.
6. Training For All Users
No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger, so start here:
- Train users on the basics of cyber and email security.
- Train users on how to identify and deal with phishing attacks with New-School Security Awareness Training.
- Implement a reporting system for suspected phishing emails.
- Continue security training regularly to keep it top of mind.
- Frequently phish your users to keep awareness in mind.
7. Continuous Simulated Phishing
- Run an initial phishing simulation campaign to establish a baseline percentage of which users are Phish-prone.
- Continue simulated phishing attacks at least once a month (twice is better).
- Once users understand that they will be tested on a regular basis and that there are repercussions for repeated failures, behavior changes; they develop a less trusting attitude and get much better at spotting a scam email.
- Randomize email content and the times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others.
8. Stay Aware of Red Flags
Security Awareness Training should include teaching people to look for red flags. Here are the most common things to watch out for:
- Awkward wording and misspellings
- Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
- Spoofed email addresses and URLs that are very close to actual corporate addresses, but are only slightly different
- Sudden urgency or time-sensitive issues
- Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information,” which are often used according to the FBI.
Find out what percentage of your employees are Phish-prone by contacting us for your phishing security test. If you don’t do it yourself, the bad guys will. Take the first step now to significantly improve your organization’s defenses against CEO Fraud and cybercrime.
If you found this article helpful, we have many more in Our Blog.