Everything you need to know about CEO fraud and how to prevent it

CEO fraud, also called Business Email Compromise (BEC), is a scam in which cybercriminals spoof company email accounts and impersonate executives.

The end-goal for fraudsters is to try and fool an employee in accounting or HR into executing unauthorised wire transfers or sending out confidential personal information.

In the first three months of 2020, invoice and payment fraud BEC attacks increased more than 75 per cent.

The rise was even more pronounced from April to May.

Over that period, the volume of these types of BEC campaigns shot up by 200 per cent per week, according to Abnormal Security.

The spike in the number of CEO fraud attempts indicates that cybercriminals are becoming more successful with this tactic than any other form of social engineering and have been benefiting from the confusion associated with the sudden enforced work-from-home situation.

Here’s how they do it:

Initiation
The attacker will compromise a business executive’s email account or any publicly listed email.
This is usually done using phishing methods, where attackers create a domain that’s similar to the organisation they’re targeting, or by tricking the target into providing account details.
They perform a fair amount of research, looking for an organisation that has had a change in leadership or where executives are travelling, and then use these events to execute their scams.
Often the first email request will not have any links or attachments, but rather attempt to initiate a communication flow, requesting very basic forms of information, such as how to get help paying an urgent invoice.

Social engineering
Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds.
Often by applying a low-grade form of fear, authority, urgency or flattery, they will trigger the target’s emotions in order to suppress his/her critical thinking.
The label of this category of cybercrime may be CEO fraud, but that doesn’t mean the CEO is always the one in a criminal’s crosshairs.
Anyone with privileges to make, approve or influence payments as well as with access to personal or sensitive corporate information may be at risk.
In one example, the attacker impersonated an actual vendor used by the target organisation.
Over the span of two months, the person emailed several employees trying to convince someone to change banking details and redirect payment of a legitimate invoice to the attacker’s account.

Here’s what you can do:

Identify your high-risk users
These include C-level executives, HR, accounting and IT staff.
Impose more controls and safeguards in these areas, including a review of social/public profiles for job duties, hierarchical information, out of office details, or any other sensitive corporate data, and identify any publicly available email addresses and lists of connections.
Institute technical controls
Implementing tools such as two-factor authentication, email filters, and managing access/permission levels for all employees are some of the ways to ensure the organisation has the highest defences possible against the bad guys.

Develop a security policy and standard procedures
Recommended company procedures should include:
• Make staff are aware of security policies around email usage and risks.
• Establish how executive leadership is to be informed about cyber threats.
• Have sound financial controls in place, such as multiple approval steps before any payments can be made.
• Implement verification processes for new suppliers as well as any requests for bank account changes.
• Establish a schedule to test the cyber incident response plan.
• Register as many company domains as possible that are slightly different than the actual company domain.
Training for all users

No matter how good your prevention steps are, breaches are inevitable.

User education plays a big part in minimising the dangers of BEC.

The best training programmes harness user education to make sure any threats are prevented.

Also follow us on: