What is CEO fraud, why is it so prevalent, and how can organizations recognize and defend themselves against these scams?
A little role-playing. You’re in the office, it’s 4:15 p.m., and you receive a message from your company’s VP of Finance. An urgent transfer of funds is required to finalize an agreement with a major partner, and the transfer must be sent by the end of the day. How do you respond?
What is CEO fraud?
CEO fraud is a form of spearphishing attack that targets members of the company’s finance or accounting team. While in a whaling type attack criminals target senior management, in the case of the CEO fraud, they try to impersonate executives to convince the email recipients to quickly transfer money for a supposedly critical operation for the organization. However, the money is transferred to an account under the control of cybercriminals.
As you read this, you may be thinking that you would never fall for it. After all, you know your superiors well and would easily recognize their email addresses or phone numbers. Yet, the FBI estimates that, between 2016 and 2019, Business Email Compromise (BEC) generated losses of US$26 billion.
The Canadian city of Ottawa was among the victims in 2018. The city treasurer, Marian Simulik, received a scam email and wired over CA$100,000 to fraudsters. A few days later, she received another fraudulent email, asking to wire another CA$150,000. Luckily, Simulik received the second email while in the same room as City Manager Steve Kanellakos, who the fraudsters were impersonating. She asked him if the request was legitimate, which blew the lid off the scam.
In order to convince their targets, scammers use various schemes. As in many scams, criminals use social engineering. They evoke a sense of urgency in their target in order to incite the employee to act quickly and by asking a minimum number of questions. In addition, taking the identity of an executive to address a specific employee for an essential and urgent request can generate a sense of pride. Who wants to take the risk of disappointing an executive who trusts us?
Criminals also work upstream to steal the required identity. Finding the names of the company’s senior executives usually requires only a simple online search, probably on the company’s own website. Name theft thus adds credibility to their attempt.
The next step involves imitating or spoofing the email address. The easy method is to create a fake email address that looks like the legitimate one. For example, email@example.com could become firstname.lastname@example.org (note the missing ‘r’ in ‘your’). They can also use email spoofing, or email address spoofing. In this case, the sender’s address would appear in the message as email@example.com, but actually be forged. In both cases, clicking ‘Reply’ would send the email directly to the scammer, rather than the legitimate recipient (or the similar email).
How to protect your organization
The first step an organization can take to protect itself from this type of fraud is a clear and robust financial transaction protocol. For example, requiring the approval of at least two authorized persons for any transfer can be part of the rules. Rules on the types of transfers can also be implemented.
As is usually the case with fraud prevention, awareness training and vigilance are once again your allies. Since this type of fraud targets specific corporate departments, special emphasis should be placed on the members of these teams, particularly with respect to the protocols in place and the means of detecting these scams. The basic measures for recognizing phishing attempts remain just as valid here; not succumbing to pressure and a sense of urgency, carefully checking details such as names, source addresses and signatures.
Inviting employees not to reply directly to a suspicious e-mail, but rather to contact them directly by phone – using the official number, rather than the one in the message signature – can also prevent damage. In the above example, Ms. Brown could confirm in a quick phone call from her associates that it was an attempt to defraud and not a request on her part.
Whether it’s 9:10 a.m. or 4:15 p.m., there are no bad times to remind the entire team of fraud prevention measures; and there are no bad times to implement them. As the saying goes, “an ounce of prevention is worth a pound of cure.”
As a continuation of our Fraud Prevention Month special series, our next two weekly articles will focus on one of the most popular tactics used by scammers: social engineering.
In the meantime, we encourage you to read our interview with ESET Chief Security Evangelist Tony Anscombe, who spoke about what people and businesses can do to avoid falling prey to various types of online fraud.