What is CEO Fraud?

What is CEO Fraud?

CEO fraud is a cyberattack by scammers impersonating a company executive through a compromised email account to obtain money. The fraudster uses a cloned business email account of a superior executive known to the target employee to issue urgent instructions. The scammer, purporting to be the company CEO or CFO, sends an urgent email directing an employee to pay an outstanding invoice using new account details.

Fraudsters take time to research their target company, the CEO’s communication habits, the target employee, and the payment systems. The fraudsters collect information on outstanding suppliers’ invoices to make the attack more persuasive. They then leverage the CEO’s power to issue instructions that employees follow to pay without further questions.

Common attack methods in CEO fraud

CEO fraud perpetrators use two preferred methods to execute their scams on unsuspecting company officials. One is spoofing the email addresses of top executives and finance personnel in a company and communicating through the compromised addresses by impersonation. This method leads to business email compromise attacks targeting the official email addresses of CEOs and uses the channel to issue payment instructions to junior staff.

The second method which precedes the first is phishing and involves social engineering attacks on select employees to gather critical information. The purpose of phishing attacks is to trick target employees into releasing sensitive information to fraudsters using malicious emails designed to appear to come from known senders. At times it could involve misguiding employees into installing malware on company computers to mine data for the scammers.

The objective is to collect as much information as possible on the target company’s internal operational systems and communication protocols. Once the fraudsters have this information, they register domains similar to the company’s but with slight unnoticeable misspellings. With this in place, they proceed to create the CEO’s email address and use this to send payment instructions to an employee.

Laying the ground for a CEO fraud attack

The CEO attack starts with a detailed reconnaissance phase when the fraudsters comb through the organization’s website looking for vital information. The information sought includes the internal employee structure, names of executives, communication protocols, names of employees in the payments office, and possibly the organization’s suppliers. And perhaps this is where organizations need website design tips from professionals on how to include sensitive information on their online platform.

Once the fraudsters have sufficient information on a target organization, they register a domain name that appears similar to the official one. The scammer then creates an email address using the CEO’s name anchored on the fraudulent domain to initiate communication with the target employee. With the information they have on the organization’s regular suppliers, the fraudsters know which pending payments they can prompt an employee to settle with urgency via wire transfer.

CEO fraud targets an organization’s top-ranking executives with operational authority. The CEO, CFO, and COO are the most common targets whose emails the fraudsters compromise and use to send instructions to payments officers. They will likely follow up with a phone call purporting to call from the supplier enquiring about the money transfer just to make it more persuasive. 

How to detect attacks

CEO fraud using phishing emails to gain access to an organization’s internal systems is an ever-present threat. Even the most vigilant IT security staff and software will miss the occasional phishing email that might slip through unnoticed. That possibility requires additional measures that include staff training to create awareness for employees dealing with online communication to look out for suspicious emails.

Sensitized employees will be able to detect red flags in suspicious emails or phone calls purporting to come from trusted sources. Emails using public domains or what appears to be corporate domains but with misspelled names are clear red flags and the employee receiving such should counter check with the source. Fraudsters have no training in corporate communication and will use poor grammar with bad spelling, which is another dead give-away to mark.

An employee spotting such an email should first verify with the executive supposed to have written it and then report it to the internal cyber-security team. If money has already been sent, contact the bank immediately for possible recovery measures and inform law enforcement.

How to prevent CEO fraud

Since costly cyberattacks are not about to go away, organizations have to keep several steps ahead of them with better security and staff training. Employees are the organization’s primary asset and often are the targets of these fraud attacks. Begin by training staff in cyber-security when handling online communication and equip them with skills to detect malicious emails.

Install access and security controls such as DMARC and email filters to block malicious emails before they reach users’ inboxes. The organization should implement a more stringent policy on wire transfers that goes beyond simple email instructions to protect employees from malicious social engineering.

Continuously review your financial systems within the overall cybersecurity standards for better protection against email fraud. Internal training using simulated social engineering and phishing emails sent to employees to gauge their awareness can help curb the attacks. Keep updating systems, continuously train, and plan for risk by taking appropriate insurance.

The impact of CEO fraud on businesses

Large and small businesses have suffered alike from CEO fraud attacks losing millions of dollars. Organizations such as Xoom lost over $30 million to CEO fraud while the CFO involved lost the position through a forced resignation. Cyber-frauds can be costly to a business, with the possibility of one successful threat leading to bankruptcy for small enterprises that fall victim.

While money makes the most common loss for organizations, the threat also targets employees’ data that can be used elsewhere fraudulently. A successful hit on the HR department can expose vital employee data that includes personally identifiable information (PII) that fraudsters can harvest to use in identity theft. Staff who fall victim to this scam and wire out company funds more often suffer the loss of their job. To preempt the increasing and costly attacks, businesses have to spend huge sums of money to install cybersecurity systems and train staff. Protection is as costly as the threat to organizations, and the financial impact is profound.

Check Also

Diia.City

Sergey Tokarev About Diia.City United as the Rise of Collaborative Creativity in the Age of Digital Economy

Sergey Tokarev, an IT entrepreneur and investor, shared an important message on Facebook. The largest …