CEO Fraud is nasty and it can ruin both businesses and careers. More than 22,000 organisations across the world have been victims of CEO Fraud with losses estimated at more than £3 billion. In this article, we look at what CEO Fraud is and the techniques that can be used to help prevent it from happening to you.
What is CEO fraud?
CEO Fraud involves convincing somebody in your business to make what they think are legitimate payments but which are actually paid to fraudsters. The scam is often carried out by compromising business email accounts through the use of techniques such as social engineering or computer intrusion.
It’s not just email accounts that can be compromised, the criminals are also known to tap into phone numbers. This process involves the criminals obtaining the phone number of a CEO, and sending a text message to the CFO (Chief Financial Officer) which appears to come from the CEO. The message asks the CFO to make a bank transfer. To make it more realistic, these cyber-criminals often wait until the CEO is away on business and the unlucky recipient of the text message is oblivious to the fact it’s not a legitimate request. In addition, the criminals will often ask the recipient not to contact them as they “are in an important meeting” and “it needs paying promptly”.
While you may think it’s just the larger businesses which are targeted, smaller businesses are just as likely to be hit – the criminals don’t discriminate, everyone is a target.
While it is probably impossible to predict which business will be attacked and when, it is useful and interesting to understand some of the methods they often use.
- Phishing: These are emails sent in large numbers to numerous accounts simultaneously in order to “phish” sensitive information by posing as legitimate sources. These emails are getting much more sophisticated – gone are the days of poorly worded emails that were obviously fake. These emails often have logos, are well-written and look like they could be from a bank, credit card provider, law enforcement or government agencies, delivery companies etc. While many people won’t use the bank or service provider the email is claiming to be from, due to the sheer numbers that they send them out to, it has a certain percentage of hit rate. The criminals are smart and may change the spelling of words which can easily catch you out. For example, an email from [email protected] seems legitimate, doesn’t it? Unfortunately, this is NOT from Companies House. Notice the spelling of webfiling at the start of the address and webfilling at the end.
- Spear Phishing: These attacks are emails which usually only go to one person or a small group of people at the most. They are much more focused and the cyber-criminals have often done their homework on the target by gathering data from social media sites in order to fool the unfortunate target. Usually some form of personalisation is included such as the person’s name or client’s name.
- Executive “Whaling”: This one can be very sophisticated. The criminals have detailed knowledge of who they are targeting and the business they are attacking. They target the top executives and administrators to draw money from accounts or to steal confidential information.
- Social Engineering: This is the psychological manipulation to trick people into giving away sensitive information or providing access to funds. All of the previous methods are aspects of social engineering. The act of social engineering might include mining social media sites such as Facebook and LinkedIn. These sites provide a wealth of information about a company and individuals, such as names of staff, contact numbers and emails addresses.
Unfortunately, these scams have a fairly high success rate. The Verizon 2016 Data Breach Investigations Report revealed that 30% of recipients open these phishing emails and thus provide an open gateway for malware to infect their systems and the possibility of CEO Fraud.
The majority of the following steps must link together to form part of an effective prevention plan forming ‘layers of defence’.
- Training: While all the steps below will help, if a member of staff isn’t properly trained a breach could be inevitable. Make sure all staff are aware of the things to look out for when opening emails and provide general security awareness training. Is the email sender legitimate? Always be sceptical and hover over links to see if they’re going where they say they are going. Beware slight changes in company names (r and n together to imitate an m). Another tell-tale sign is emails requiring urgent action.
- Technical controls: Email filtering is an example of this. If you don’t have a filter you need one. If you do have one you need to make sure you understand its features to get the most out of them and also accept that mail filtering won’t always prevent phishing emails coming through. Two factor authentication is a good way of making it harder for the criminals to steal sensitive information, such as sending a code to your mobile phone.
- Simulated Phishing: This should be accompanied with the training. It is the process wherein staff are sent emails purposefully to see which staff are at risk and who needs more training.
- Identifying high-risk job roles: High-risk roles include accounting, payroll / HR and IT staff. It is recommended to impose more safeguards in these areas such as having layers of authorisation before, for example, a payment to an account can be completed. It is important to assess all high-risk staff to see how exposed they are.
- Security policy: While every company should have a security policy, it does sometimes slip under the radar when there are more important things to deal with. But in this day and age when cyber-attacks are frequent, it should be on your to-do list. It should be reviewed regularly for gaps and should be published somewhere that all staff can find. It should include things such as staff not opening attachments or clicking on links from unknown sources, password management policy (not reusing work passwords on other sites or machines), don’t use USB sticks on office computers as well as much more security diligence.
- Procedures: IT should have security measures in place to block sites known for their spread of ransomware. All software security patches and virus signature files should be kept up-to-date, conduct penetration tests on Wi-Fi to determine how easy it is to gain entry, ensuring backups are actually working as well as much more.
- Cyber-risk planning: This is no longer just a technical problem or just an IT problem. This should be managed from the very top (the CEO) so they are aware of the company’s cyber risks and how they can manage those risks. CEO Fraud should certainly be included in the risk management assessment.
CEO Fraud and cyber-attacks in general are more frequent now than they ever were. It is wise to review your procedures and put the appropriate controls in place to stop it from happening to you. It could save you a lot of money.
If you would like to discuss any of this further, please get in touch.