CEO fraud, also known as Business Email Compromise (BEC) or executive impersonation, is a type of cyber attack where the attacker poses as a company executive or CEO to deceive employees into taking harmful actions, typically involving financial transactions or divulging sensitive information.
What is CEO fraud?
CEO fraud is not a particularly complex type of cyber attack, usually broadly falling in line with a spear phishing attack. But the actual fraudulent aspect of CEO fraud is in the follow up:
Email Spoofing
Attackers often use techniques to spoof or mimic the email address of a CEO or high-ranking executive. This involves creating an email address that appears similar to the legitimate one, making it difficult for recipients to notice the difference.
Social Engineering
Cybercriminals conduct thorough research on the target organization and its key personnel, gathering information from public sources, social media, and other channels. This information helps them create convincing and contextually relevant messages.
Impersonation
The attacker sends emails or messages pretending to be the CEO or another executive. The messages may instruct employees to perform urgent actions, such as transferring funds, making payments, or disclosing sensitive information.
Urgency and Secrecy
CEO fraud often involves a sense of urgency and confidentiality. Attackers may claim that the requested action is time-sensitive or requires discretion, preventing employees from verifying the legitimacy of the request.
Manipulation of Trust
By impersonating a high-ranking executive, the attacker exploits the trust and authority associated with that position. Employees are more likely to comply with requests they believe are coming from top management.
Compromised Credentials
In some cases, attackers gain access to an executive’s email account through phishing or other means. Once they have control of the account, they can send fraudulent emails directly from the compromised email address.
Invoice Fraud
CEO fraud may involve sending fake invoices or payment requests to employees responsible for financial transactions. These requests appear legitimate, leading employees to make payments to fraudulent accounts.
Vendor or Supplier Impersonation
Attackers may impersonate vendors, suppliers, or other business partners in addition to internal executives. This can involve changing bank account details for payments or requesting sensitive information under the guise of a legitimate business transaction.
As you can see, CEO fraud attacks are not necessarily one distinct type of attack: the adversary may use a variety of social engineering techniques, leverage financial information, steal a CEO’s email address, access bank accounts fraudulently, impersonate or plant trick employees, or use a variety of other threat actor techniques to conduct unauthorized transfers.
Are there notable examples of CEO fraud scams?
In 2016, the CEO of an Austrian aerospace manufacturer, FACC AG, fell victim to a CEO fraud attack. The attackers impersonated the CEO in emails to the finance department and convinced them to transfer approximately €50 million (around $55 million, at the time) to accounts in different locations. The attackers had conducted thorough research on the company and its executives, allowing them to craft convincing emails that appeared to be from the CEO. The emails instructed the finance department to make the transfers urgently and confidentially, citing a secret acquisition project as the reason.
The finance department, trusting the apparent authority of the CEO and the urgency conveyed in the emails, complied with the instructions. It wasn’t until later that the company realized it had been the victim of a sophisticated CEO fraud attack. This incident underscores the effectiveness of social engineering and the importance of implementing robust verification processes, especially for financial transactions. It also highlights the significant financial losses that can result from successful CEO fraud attacks. In response to such incidents, organizations worldwide have increased efforts to educate employees about the risks associated with CEO fraud and have implemented additional security measures to mitigate the threat.
How do I approach CEO fraud prevention?
As with so many problems in cybersecurity, we can’t deal with something as broad as CEO fraud with a simple playbook. Many cases of CEO fraud happen when security awareness training seems to be working, computer intrusion techniques are at the cutting edge, and the CEO’s email account has a secure password (a rarity, some would tell you!). But that doesn’t mean we can’t stop such an attack by implementing best practices and trying to nip social engineering attacks and CEO fraud emails in the bud. Here is a six-point plan for
- Educate Employees: Provide training to employees about the risks of CEO fraud, emphasizing the importance of verifying unusual requests, especially those involving financial transactions.
- Implement Email Authentication: Use email authentication protocols such as DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify the authenticity of emails and prevent spoofing.
- Multi-Factor Authentication (MFA): Enforce MFA for email accounts and other sensitive systems to add an extra layer of security.
- Verify Requests: Encourage a culture of verification for sensitive actions, especially those involving financial transactions. Employees should independently verify such requests through a trusted communication channel.
- Monitor and Detect Anomalies: Implement security measures to monitor and detect unusual behavior, such as unexpected changes in email patterns or financial transactions.
- Security Awareness Programs: Regularly conduct security awareness programs to keep employees informed about the latest cybersecurity threats and tactics.
By combining technology, training, and vigilance, organizations can significantly reduce the risk of falling victim to CEO fraud and other types of cyber attacks. Because, remember – CEO fraud is just another example of social engineering techniques in action, so all positive defensive work that protects against a general phishing attack will also help protect CEO fraud targets and sensitive data, prevent identity theft, intercept fraudulent wire transfer payments, and cut down on the threat from cyber-criminals. And when you can protect your company’s CEO, high-ranking executives, and other senior leadership members from email fraud, you’re doing something right.
