It's 4:45 pm and you're starting to shuffle papers around on your desk, minimising windows on your desktop and preparing to go home. An email notification pings across your screen and you do a double-take. It's from the CEO of the company, who is meant to be away on holiday. It reads:
Are you still in the office? Sorry to keep you, but this is urgent. I need to you to please make a wire transfer in the amount of £30,000 to our partners at the London office. Email me with confirmation when you've completed the transfer. See the attached picture with the account number and other details. Thanks.
You hesitate, wondering why the CEO would be writing on her holiday and send a quick email back with a question to clarify. The "out-of-office" automatic reply comes back, and you quickly decide to proceed with the transfer. After all, if she's not answering emails, then the one she has just sent must be intentional and urgent. You quickly enter the account details and process the transfer, but as soon as you've completed it, your stomach turns. You cross-check the account number against the official list and your jaw drops in disbelief. Is it possible that you've just been scammed out of £30,000?!
CEO Email Fraud is an increasingly common cyber threat with alarming consequences for your company. According to Symantec's 2018 Internet Security Threat Report, 55% of all emails are spam. It is estimated that from 2013-16, business email compromise cost businesses over $5 billion worldwide.
Phishing scams come in many forms, from spear-phishing (targeting a specific individual) to executive 'whaling', which relies on impersonation of top executives.
The example above may seem too obvious, but it is entirely based on real CEO fraud attempts that occur everyday. Think about how many emails you receive in a single day. If 55% of them are spam, it is easy to be confused or tricked by something that is just slightly out of the ordinary in the midst of the daily flood of emails.
So, what were the tell-tale signs in the example above?
- Sense of Urgency
- Urgency adds pressure, and phrases like 'important', 'process this ASAP', 'tell me as soon as it's done' can convince the target to move forward without stopping to evaluate the credibility of the request.
- Targeting Specific Employees
- This could be targeting a newer employee who is less likely to know the proper procedures, or an employee who has access to key information like bank details.
- Out of Office Messages
- Scammers use these messages as a way to reassure their target that they are actually talking to the CEO or whomever they are impersonating, especially if the target knows the CEO's schedule and location.
- Changing Details Just Slightly
- When only one letter or number has been changed in an email address or account number, it is easily missed.
CEO fraud doesn't rely on advanced software for its success. Rather, it's an advanced form of 'social engineering,' where the cyber criminal is more interested in spying on your company's systems in order to gain the information they need to make a credible attempt at a scam.
The cyber criminal's ultimate goal is to infiltrate your organisation through a simple deception and then be able to move around unnoticed to steal data, encrypt files, mine cryptocurrencies on your computer or steal as much money as possible.
5 steps you can take to prevent CEO email fraud?
- Understand Who is at Risk
- Your C-suite executives face the highest risk of being impersonated and scammed this way. However, even HR managers are valuable targets because of their access to valuable information about all the employees in your organisation. CEO email fraud is a risk for the entire company, because every employee is a point of entry into your systems.
- Put IT Security First
- Advanced Email Security Solutions from our partners like Mimecast and the Email Laundry are an excellent choice for verifying attachments, identifying fraudulent senders and protecting your network from these advanced phishing scams. Focus on creating a secure IT infrastructure with superior firewalls, cloud-based two factor authentication and endpoint security for every device that connects to your network. All of these services can be seamlessly integrated and supported with 24/7 threat monitoring.
- Invest in Security Awareness Training
- Security Awareness Training helps your team members to slow down and evaluate the authenticity of their emails and attached files. Share with colleagues if you have seen a malicious email - all too often, the email will be sent to a number of people in the organisation. Flagging this with your colleagues if you come across one not only protects you, it protects your colleagues too.
- Set a Chain of Command
- The urgency of many phishing scam emails can interrupt normal procedures by isolating an individual and demanding that they comply with the request before consulting anyone else. Your team members should know exactly who to ask before completing extraordinary funds transfers or sharing sensitive data. Having a defined process and a chain of command in place will remove any ambiguity and acting out of urgency.
- Pay Attention to the Information You Share
- Social engineering is becoming incredibly sophisticated. Fraudsters can gain an incredible wealth of information about you (including who your superiors and colleagues are) from corporate websites or social media profiles like LinkedIn and Twitter, so be careful about what you share. Be discerning about who you accept as a connection, particularly if it comes without an introduction.