Phishing attacks have been around for decades, and cybercriminals are looking for ever-cunning ways to develop sophisticated targeted attacks. CEO fraud is a growing type of phishing scam on the rise. A 2020 report claims that the CEO email scam has experienced a 48% increase in the second quarter of 2020.
These CEO-targeted crimes can cost organizations billions of dollars in losses or even ruin their reputation. That said, organizations need to be aware of these crimes before they can be in a position to implement CEO fraud prevention measures.
This article discusses the types of CEO email frauds and how to prevent them.
But first, what is CEO fraud?
What is CEO Fraud?
Another name for CEO fraud is whaling. It’s a type of Business Email Compromise (BEC), where attackers use the CEO or another high-level company executive’s email address and credentials. This targeted phishing attack type uses sophisticated social engineering techniques to convince employees to perform fraudulent actions.
The 2021 Anti-Phishing Working Group Phishing Activity Trends reported that Business Email Compromise attacks are becoming increasingly costly for organizations. In successful attacks, the average wire transfer increased from $48,000 to $106,000—more than double the previous year. With this number, it’s no surprise that the FBI named BEC a $26 billion scam. These scammers target top-level business personnel because they have the authority to request large wire transfers or confidential data from employees.
CEO Fraud Email Examples
Familiarizing yourself with some CEO email fraud examples will help you understand the scam and its adverse impacts on businesses.
In 2019, Japan’s Toyota Boshoku Corporation fell victim to a BEC attack that cost $37 million. The CEO fraud scammer convinced a Toyota employee to wire $37 million out of the European subsidiary to a foreign account.
BEC attacks are on the rise, and this scam was the third acknowledged attack on Toyota that year. Security experts said that Toyota should’ve been on the lookout for such scams.
Another CEO email scam example is the Obinwanne Okeke BEC scheme in February 2021, resulting in at least $11 million in losses to his victims. The scammer used phishing emails to secure credential logins of top business officials, including the CEO of Unatrac Holdings Limited—the export sales office for Caterpillar heavy industrial and farm equipment.
In early 2020, the Puerto Rican government fell victim to a BEC scam that siphoned more than $2.6 million. The company’s executive director suspended 3 employees, claiming they didn’t follow rigorous procedures.
Signs and Tactics of CEO Email Fraud
Cybercriminals employ different tactics to carry out CEO email fraud. It’s imperative for organizations to identify the signs so they can implement countermeasures to prevent such attacks.
Look Out for The Signs
Due to the negative impact on business continuity, organizations must identify the signs to stop CEO fraud attacks. During these attacks, scammers use advanced social engineering techniques to pressurize victims and make them believe the request is urgent.
The scammer can also send out mail from a mobile device to make the employee think the CEO is out of office. You should also look out for spelling errors, poor sentences, and grammar construction.
CEO Email Fraud Tactics
CEO fraud begins with a scammer spoofing the real email address and sending phishing emails from the CEO to employees. If the person takes the bait, they may siphon money to the hacker, disclose company information, or give unauthorized access to company assets.
Scammers usually take their time to understand the organizational structure to seem more legit when posing as the company’s CEO.
In some cases, BEC scammers utilize malware to infiltrate an organization’s network and access legitimate email threads about invoices and billing. This information is used to send phishing emails from the CEO to the financial department to make the dubious request seem more legit.
CEO Fraud Prevention
Like other phishing attacks, CEO email fraud is difficult to spot. But with proper cyber awareness and security measures, you can defend your organization’s assets from BEC scams.
Here are some CEO fraud prevention tips to guard your organization against these BEC and other related phishing attacks.
1. Protect Your Email Infrastructure With DMARC
The initial weakness in most organizations is their ignorance of simple email security solutions. DMARC implementation closes the door to the main vulnerability that might give way to CEO fraud—spoofing. Upon starting your DMARC journey, you’ll receive reports, monitor sources, and ban illegitimate senders from your domain.
2. Do You Recognize the Sender Email Address?
When you receive an email, the first question to ask yourself is: “Do I recognize the sender’s email address?” Attackers use domain impersonation tactics to make you believe the email is legit.
If your domain name is abcbank.com, attackers can use abdbank.com. An employee who isn’t patient or observant will think the two email addresses are the same. That’s why it’s vital that you and your employees double-check the email address to confirm its authenticity.
3. Is There Anything Unusual or Urgent in the Email?
CEO email scam attackers utilize social engineering tactics to create a sense of urgency. Does the email make unusual requests like urgent money transfers or information about company assets and clients? If that’s the case, you need to question the source. Is is very important also to check the email for malicious url. If you are not sure the included URL is malicious or not you can use any malicious url checker to scan the URL.
4. Have You Verified the Request Over the Phone or in Person?
When you receive an unusual or urgent transfer request via email, the best thing to do is verify the request over the phone or in person. Supposing the email originates from the CEO’s email account, walk to their office or call them on the phone to confirm the request before taking any action.
5. Are Your Employees Trained to Catch Fraud?
Do your employees have enough technical training to spot cybersecurity threats? This is a question every organization needs to answer. Security is everyone’s responsibility. So don’t assume your network is safe because you have the best tools in place.
The human is the weakest link and can be easily manipulated. CEO fraud is getting more sophisticated, so organizations need to educate their staff on identifying these frauds and what to do when they spot them.
6. Do You Have Anti-Fraud Software Installed?
Besides employee training, organizations should implement a Defense In Depth (DID) approach to cybersecurity. It reduces the risks of these attacks. We recommend anti-fraud software installed and updated regularly. It helps assess risk and detect fraud, thus, reducing the risk of cyberattacks.
CEO email fraud and other phishing scams are getting more sophisticated, and the impact on businesses can be devastating. This fraud attack is more successful in organizations with a rigid management structure that lacks proper checks and balances before approving financial requests.
Implementing the best cybersecurity practices can help you prevent these attacks. Organizations should also carry out frequent cybersecurity awareness programs to train staff on new tactics attackers use to execute their plans.