Everything You Must Know About CEO Fraud
CEO fraud is a perfect cybercrime because it exploits the trust of employees who send fraudulent payments. Using a fake email to trick workers into transferring illicit funds is straightforward. This technique is also very efficient—the FBI estimates that CEO fraud costs businesses more than $26 billion annually, making this the most lucrative cybercrime.
We provide an in-depth description of CEO fraud cyberattacks here, providing you with all the information you need to stay safe. We discuss how these attacks occur, provide precluding tips (both for C-level executives and employees), and provide you with what to do if you are a victim.
What is CEO Fraud?
In a CEO fraud scam, a lower-ranking employee dupes into wiring money to a fraudster posing as the COO, CEO, Head of HR, or CFO. Convince the employee to wire money, and the fraudster pretends to be someone with the power to order payments, such as the COO, CEO, Head of HR, or CFO.
An employee could not always order a direct money transfer by a CEO fraud email. A criminal can also request:
- Disclose the company's bank or payroll information.
- Modify the payment information on an existing invoice.
- To purchase gift cards.
- Disclose confidential information that might allow a fraudster to extort or further investigate the organization (such as tax statements, client PII, or company secrets).
CEO fraud harmed US companies by $2.4 billion in losses in 2021 or almost one-third of the overall cost of cybercrime for the year. Here is why these tactics work so well:
- The perception of the hierarchy's differences taints a lower-ranking worker's judgment. Individuals frequently refrain from questioning instructions made by superiors since nobody likes to disappoint or offend their boss.
- The epidemic and the prohibition of in-person meetings increased email use, which provided an ideal environment for CEO fraud.
- CEO fraud is straightforward to execute compared to other cyberattacks and (often) doesn't require significant IT expertise.
- If a con artist succeeds in duping a person, they can go beyond any cybersecurity best procedures, instruments, and guidelines the business has in place.
The $26 billion figure is horrifying, but the actual all-time damage of CEO fraud is likely higher. Many attacks go unreported because organizations often choose not to report small amounts of money they lose to fraud.
How Does CEO Fraud Happen?
Every CEO fraud begins with an in-depth investigation. The attacker gets (at least) two people's identities:
- The executive intends to pretend.
- The person they intend to attack.
The attacker researches employees by:
- They are using social engineering techniques to collect the information (such as phoning and posing as a salesperson to request to speak with the budgeting manager).
- The information gathers from the social media pages, the organization's official website, YouTube channel, etc.
- They are physically visiting the workplace (e.g., attending a job interview or acting as a courier).
During the research phase, criminals may spend weeks or even months developing plans. When they see a "perfect" opportunity, criminals contact the victim via email and request a "fitting" request. They may employ the following techniques:
- To request that HR buy gift cards and deduct them from your bonus payments.
- Tell the finance team to send funds for a past-due invoice or fictional merger.
- Attempts to contact an accountant under the guise of a vendor and announce a change in banking details.
- Request payment of an invoice to a fictional account from the person in charge of paying wages, usually on behalf of a worker who claims not to have received the last paycheck.
Fraudsters use a variety of strategies to dupe workers, posing as executives, lawyers, vendors, etc. The majority of frauds pressure the victim by using urgency.
Attackers use a variety of strategies to collect the relevant data and commit CEO fraud. Let's examine the most common examples.
Domain Spoofing
Domain spoofing is a practice where someone uses a fake website to imitate the appearance and contents of an actual website. It can happen in several ways, including using a fake domain name, page layout, and design. It is a dangerous practice because it allows criminals to steal money, personal information, and other sensitive information from unsuspecting victims. Domain spoofing is also part of cyber-attacks, in which criminals attack websites with fake information to steal information or inject malware into the site. So if you're using the internet, be sure to protect yourself against domain spoofing - it's among the most effective and simplest ways to stay safe online.
Phishing
Fraudsters pose as legitimate sources to transmit phishing emails to workers to "fish out" confidential information, such as:
- Credit card providers.
- Colleagues.
- The IRS.
- Banks.
- Law enforcement agencies.
- Delivery firms.
Phishing enables a criminal to gather information for the upcoming CEO fraud by gathering valuable data through phishing emails. The malware in the phishing email may infect the system and allow the criminal to hack the email account, enabling them to send emails or launch further attacks.
If the scheme succeeds, an intruder can learn a company's hierarchy, calendars, accounts, and other information to plan a phishing attack.
Spear Phishing
Spear phishing is one of the most dangerous types of cyber-attack. Spear phishing is when attackers use emails or other communication tools to steal personal information from their targets. They do this by posing as someone the victim knows - like a friend, colleague, or loved one. The attacker will then try to get the victim to reveal their personal information, like bank account numbers, passwords, or other sensitive information.
Spear phishing is a very effective way of stealing information because it's the perfect tool for stealing passwords and other sensitive information. That's because spear phishing emails designs to look like they come from a trusted source. They often contain links or attachments that the victim will want to view.
Email Account Compromise
There are other methods phishers can use to hack someone's email account besides just forging a CEO fraud. A fraudster looking to pull off a CEO fraud may obtain email credentials in one of the following ways:
- Using a brute-force password tool to try to get access to the user's account.
- Attracting users to phoney login pages by using their social media accounts.
- Finding passwords easy to crack.
- Buying credentials on the dark web.
- Stealing company BYOD devices while employees are not at work.
- Hiring tech-savvy freelancers to provide BEC assistance.
Once cybercriminals get their hands on an email account, they send credible scam messages to employees. It enables hackers to analyze how the manager communicates and mimic their voice style or incorporate commonly used catchphrases. In addition, they also obtain accessibility to all prior emails, enabling cybercriminals to evaluate how the manager imitates and communicates their tone of voice or incorporates commonly used catchphrases.
Who is Most Likely to Become the Victim of CEO Fraud?
According to cybersecurity studies, CEOs are often the target of employee fraud, so "building a wall" around employees who authorize money transfers is not enough to prevent this type of crime.
CEOs target employees to steal personal data and hard currency to fund criminal enterprises. These are the target groups:
- Human resources: HR has access to every employee in the company and maintains the personnel database, so this area contains all the data necessary for CEO fraud. The criminals send out an infected CV and hope the recipient accidentally gives them access to company data.
- Finance department: Chief executives of companies that handle finances are prime targets for financial fraud. Email notifications from senior positions are the only requirement in many sloppy policies, making them attractive targets for criminals.
- IT department: Hackers can access every part of an organization if they obtain the credentials of an IT manager. In addition, authority over access controls and password management is a target.
- C-level executives: CEOs rely on their executive team members to authorize financial transactions, making them the prime targets for money laundering schemes. These individuals must protect themselves from fraud.
Examples of CEO Fraud
To give you an idea of how these frauds work, let's look at some of the biggest CEO frauds:
- Pathé: In March 2018, an internet scam cost France's independent film group $22 million. According to police reports, criminals sent several emails from the CEO's address and asked targets to send money to four different accounts. The scammer supposedly told victims the funds required to acquire an unnamed Dubai-based company.
- Toyota: On August 14, 2019, a scammer duped an employee working at Toyota's European subsidiary accounting department into sending $37 million to a bogus account. The criminal claimed to be a high-ranking executive and said the company needed the money to keep production going.
- Crelan: Crelan Bank was the victim of CEO fraud in May 2016, when scammers tricked employees into unlawful money transfers using a strategy that the company did not reveal. Over $70 million in losses were reported, according to the bank.
- Puerto Rican government: On January 17, 2020, Puerto Rico Industrial Development Company lost $2.6 million in a CEO phishing scam. A crook posed as a beneficiary and asked the victim to change a bank account linked to remittances.
- FACC AG: In January 2016, Austria's biggest aerospace company reported $50 million in fraud losses. The criminal used an executive's compromised account to steal the money.
CEO Fraud Prevention
The best ways to combat the risk of CEO fraud are listed below.
Tips for Companies
- Require authorization for all transactions (plus quadruple verification for any transaction over $5000).
- Educate the staff about fraud strategies utilizing regular training sessions.
- Set up a disaster recovery plan to ensure you react rapidly in case of successful CEO fraud.
- Set strict guidelines for transferring payment details.
- Perform penetration testing to assess how the staff deals with realistic phishing simulations.
- Make sure all employees use two-factor authentication on email accounts.
- Establish strict, zero-trust security policies and monitor them regularly.
- Use DKIM and SPF domain keys to control email activity (identify the message (DKIM) and
- Limit the data you disclose on official websites, job descriptions, and social media profiles.
- Ensure executive staff members at the highest level are protected (HR, Accounting, Information Technology, and so on).
- Install anti-malware tools, firewalls, intrusion detection systems (IDS), and email filters.
- Enforce strict, unique passwords and renew them every few weeks.
- Sender policy framework (SPF)).
- Register as many domain names as possible that are similar to your company's name.
Tips for Individual Employees
- Make sure to check out the sender of every email before clicking on any links.
- Verify all transactions and purchase requests in person.
- Before opening any attachments, scan them with an anti-virus utility.
- Report suspicious activity to the security team.
- Do not share personal details on social media that can aid scammers in gaining access to passwords.
- Recognize phishing red flags in email messages. When you hover over a link, check the URL first. Never download material from an unknown email address.
How to Report CEO Fraud?
Listed below is a step-by-step guide on what to do if you've fallen victim to CEO fraud:
1. Contact Your Bank ASAP
- Tell the bank about the fraudulent wire transfer.
- Provide all the essential information, such as the amount and where the money goes.
- Ask whether they can contact the bank on the receiving end and have them prevent the withdrawal or further transfers.
2. Contact Attorneys
- Contact your lawyer and let them know about the incident.
- Please provide as much information about the incident as possible so they can begin strategizing on potential legal issues.
3. Reach Out to Law Enforcement
- Prepare a report for the officials with all relevant info (transaction details, date and time, email and IP addresses, accounts of previous phishing activity, etc.).
- If you're in Europe, call Europol. If you operate in the US, contact your local FBI office and identify the incident as BEC. Otherwise, reach out to the local police department.
4. Brief Your Senior Management
- Invite all executives to an emergency meeting.
- Describe the incident, what actions you've already taken, and any plans.
- Convey to any third parties affected by the incident, such as suppliers or companies with which you store data.
5. Conduct IT Forensics
- A security team should investigate the breach and determine the attacker's entry method. After the accounts have been secured and the malware eliminated, create a plan to prevent future incidents.
Want Guaranteed Protection Against SIM Swap? Reach Out to Us.
Is your cellphone vulnerable to SIM Swap? Get a FREE scan now!
Please ensure your number is in the correct format.
Valid for US numbers only!
SIM Swap Protection
Get our SAFE plan for guaranteed SIM swap protection.