CEO Fraud

What Is CEO Fraud?

CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information.

The FBI calls this type of scam "Business Email Compromise" and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

In the time period from January 2015 to June 2016, the FBI reported a 1300% rise in losses from this type of fraud. Most victims are in the US (all 50 states), but companies in 100 other countries have also reported incidents. While the fraudulent transfers have been sent to 79 countries, most end up in China and Hong Kong. Unless the fraud is spotted within 24 hours, the chances of recovery are small.


Four Attack Methods

Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it: 

1. Phishing

Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card providers, delivery firms, law enforcement, and the IRS are a few of the common ones. A phishing campaign typically shoots out emails to huge numbers of users. Most of them are to people who don’t use that bank, for example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.

2. Spear Phishing

This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. The email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client.

3. Executive Whaling

Here, the bad guys target top executives and administrators, typically to siphon off money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.

4. Social Engineering

Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.

CEO Fraud

5 Common Attack Scenarios

  1. Business working with a foreign supplier: This scam takes advantage of a long-standing wire-transfer relationship with a supplier, but asks for the funds to be sent to a different account. 
  2. Business receiving or initiating a wire transfer request: By compromising and/or spoofing the email accounts of top executives, another employee receives a message to transfer funds somewhere, or a financial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address. 
  3. Business contacts receiving fraudulent correspondence: By taking over an employee’s email account and sending invoices out to company suppliers, money is transferred to bogus accounts. 
  4. Executive and attorney impersonation: The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters. 
  5. Data theft: Fraudulent emails request either all wage or tax statement (W-2) forms or a company list of personally identifiable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, accounts or auditing departments.

Who Are The Main Targets?

The CEO isn't always the one in a criminal’s crosshairs. There are four other groups of employees considered valuable targets given their roles and access to funds/information:

Finance

The finance department is especially vulnerable in companies that regularly engage in large wire transfers. All too often, sloppy internal policies only demand an email from the CEO or other senior person to initiate the transfer. Cybercriminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. They mirror the usual wire transfer authorization protocols, hijack a relevant email account and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorized to transfer funds.

HR

Human Resources represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organization, manages the employee database and is in charge of recruitment. As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering activities. In addition, W2 and PII scams have become more commonplace. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email addresses to criminal organizations.

Executive Team

Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority. If their email accounts are hacked, it generally provides cybercriminals access to all kinds of confidential information, not to mention intelligence on the type of deals that may be ongoing. Thus executive accounts must receive particular attention from a security perspective.

IT

The IT manager and IT personnel with authority over access controls, password management and email accounts are further high-value targets. If their credentials can be hacked, they gain entry to every part of the organization.



Domain Spoof Test

Can your email address be spoofed?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby. Find out today if your domain can be spoofed!

Try To Spoof Me!



Board Oversight and Fiduciary Duty

Virus and malware defense has long been viewed as a purely IT problem. Some organizations do appoint Chief Information Security Officers (CISO), however information security is often viewed as a challenge that lies well below board or C-level attention.

The events of recent years have highlighted the danger of this viewpoint. With the FBI warning corporations that they are at risk and so many high-profile victims in the news, organizations, led by their CEO, must integrate cyber risk management into day-to-day operations.

Additionally, companies must take reasonable measures to prevent cyber-incidents and mitigate the impact of inevitable breaches. The concept of acting “reasonably” is used in many state and federal laws in the United States, Australia, and other countries. Blaming something on IT or a member of staff is no defense. CEOs are responsible to restore normal operations after a data breach and ensure that company assets and the company's reputation are protected. Failure to do so can open the door to legal action.

Let’s put it in these terms: a cyber breach could potentially cause the loss of a bid on a large contract, could compromise intellectual property (IP) and loss of revenue, to name just a few of the repercussions. That places cybersecurity firmly at the top of the organizational chart, similar to all other forms of corporate risk.

High-Profile Cases

 

January 2015

Xoom - Internet money transfer service, San Francisco, CA

LOST:

  $30.8 million

RECOVERED:

  $0

RESULT:

 The CFO resigned

August 2015

Ubiquiti Networks - Computer networking company, Silicon Valley

LOST:

  $46.7 million

RECOVERED:

  $15.0 million

RESULT:

Unknown

January 2016

FACC AG - Aerospace company, Austria

LOST:

  $50.0 million

RECOVERED:

  $10.9 million

RESULT:

CEO and CFO were fired

April 2016

Unknown US Company

LOST:

  $100.0 million

RECOVERED:

  $74.0 million

RESULT:

Scam surfaced when the US government filed a lawsuit to recover $25 million


Mattel - Toy manufacturing company, El Segundo, CA

LOST:

  $3.0 million

RECOVERED:

  $3.0 million

RESULT:

Luckily they caught the scam right away and were able to recover all of their money

May 2016

Crelan Bank - Belgium

LOST:

  $70.0 million

RECOVERED:

  $0

RESULT:

 The CEO claims they are still viable and operating at a profit


Pomeroy Investment Corp - Troy, MI

LOST:

  $495,000

RECOVERED:

  $0

RESULT:

 The error wasn't noticed for 8 days, by then the money was long gone

August 2016

Leoni AG - Cable manufacturer, Germany

LOST:

  $44.0 million

RECOVERED:

  $0

RESULT:

 Unknown

September 2016

SS&C Technologies Holdings - Financial services software firm, Windsor, CT

LOST:

  $5.9 million

RECOVERED:

  Unknown

RESULT:

The CEO was ousted and the company is now facing a $10 million lawsuit by Tillage Commodities Fund, the firm whose money was lost

November 2016

City of El Paso, Texas

LOST:

  $3.1 million

RECOVERED:

  $1.9 million

RESULT:

 Unknown

"People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls. Technology is critical, but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics."– Kevin Mitnick

Technology vs The Human Firewall

Most efforts towards risk mitigation concentrate on technology. However, these technology safeguards must be supported by what is known as the human firewall. Regardless of how well the defense perimeter is designed the bad guys will always find a way in. They know that employees are the weakest link in any IT system. Thus, cybercriminals continue to rely on phishing and other tricks from the social engineering playbook. The following is a MINIMUM of what to have in place to protect yourself:

Technology
  • Antivirus
  • Antimalware
  • Intrusion detection/protection
  • Firewalls
  • Email Filters
  • Two-factor authentication
  • Weapons-grade backups
The Human Firewall
  • Employees are the weak link in any IT department
  • Staff needs to be regularly educated on cyber-threats
  • Each user needs to be able to spot phishing emails from a mile away
  • Regularly testing users with phishing emails keeps them on their toes
  • New-school security awareness training is the way to manage the human firewall problem

Eight Prevention Steps

Many steps must dovetail closely together as part of an effective prevention program:

These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas including: 

  • Review social/public profiles for job duties/descriptions, hierarchal information, out of office detail, or any other sensitive corporate data
  • Identify any publicly available email addresses and lists of connections
  • Email filtering
  • Two-factor authentication
  • Automated password and user ID policy enforcement
  • Comprehensive access and password management
  • Whitelist or blacklist external traffic
  • Patch/update of all IT and security systems
  • Manage access and permission levels for all employees
  • Review existing technical controls and take action to plug any gaps

Every organization should set security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:

  • Not opening attachments or clicking on links from an unknown source
  • Not using USB drives on office computers
  • Password management policy (no reusing passwords, no Post-it notes on screens as password reminders, etc.)
  • Required security training for all employees
  • Review policy on WiFi access. Include contractors and partners as part of this if they need wireless access when on site.

Have a solid wire transfer policy: It should never be possible for a cybercriminal to hijack a corporate email account and convince someone to transfer a large sum immediately. Policy should limit such transactions to relatively small amounts. Anything beyond that threshold must require further authorizations.

Confidential information: When it comes to IP or employee records, policy should determine a chain of approvals before such information is released.

IT should have measures in place to:

  • Block sites known to spread ransomware
  • Keep software patches and virus signature files up-to-date
  • Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines
  • Conduct regular penetration tests on WiFi and other networks to see just how easy it is to gain entry
  • Domain Spoof Protection
  • Create intrusion detection system rules that flag emails with extensions that are similar to company emails

Recommended company procedures include:

  • Make staff study security policy and enforce this 
  • Establish how executive leadership is to be informed about cyber-threats and their resolution;
  • Establish a schedule for the testing of the cyber-incident response plan
  • Register as many as possible company domains that are slightly different than the actual company domain
  • Develop a comprehensive cyber incident response plan and test it regularly. Augment the plan based on results.
  • Executive leadership must be well informed about the current level of risk and its potential business impact.
  • Management must know the volume of cyber incidents detected each week and of what type.
  • Understand what information you need to protect: identify the corporate “crown jewels,” how to protect it and who has access.
  • Policy should be established as to thresholds and types of incident that require reporting to management
  • Cyber-risk MUST be added to existing risk management and governance processes.
  • Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
  • Consider obtaining comprehensive cyber security insurance that covers various types of data breaches.

*Note: Normally human error like CEO fraud is NOT covered by cyber security insurance.

No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger so start here:

  • Train users on the basics of cyber and email security
  • Train users on how to identify and deal with phishing attacks with new-school security awareness training
  • Implement a reporting system for suspected phishing emails such as the Phish Alert Button
  • Continue security training regularly to keep it top of mind
  • Frequently phish your users to keep awareness up

The best training programs baseline click rates on phishing emails and harness user education to bring that number down. Don't expect a 0% click rate though. Good employee education can reduce phishing success significantly, but there is always someone who doesn’t pay attention, is in a hurry that day, or is simply outsmarted by a very clever cybercriminal.

  • Run an initial phishing simulation campaign to establish a baseline percentage of which users are phish-prone.
  • Continue simulated phishing attacks at least once a month, but twice is better.
  • Once users understand that they will be tested on a regular basis, and that there are repercussions for repeated fails, behavior changes. They develop a less trusting attitude and get much better at spotting a scam email.
  • Randomize email content and times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others. 

Security awareness training should include teaching people to watch out for red flags. Here are the most common things to watch out for:

  • Awkward wordings and misspellings
  • Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
  • Spoofed email addresses and URLs that are very close to actual corporate addresses, but only slightly different
  • Sudden urgency or time-sensitive issues
  • Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information” are often used, according to the FBI

Do your users know when to NOT click?

Did you know that 91% of successful data breaches started with a spear-phishing attack? Find out what percentage of your employees are Phish-prone™ with your free phishing security test. Find out which percentage of your employees are phish prone today.

Why? If you don't do it yourself, the bad guys will. Take the first step now to significantly improve your organization’s defenses against cybercrime.

Get Your Free Phishing Security Test

Phishing Security Test

Ten Victim Response Steps

Should an incident take place, there are immediate steps you need to take:

  • Inform them of the wire transfer in question
  • Give them full details of the amount, the account destination and any other pertinent details
  • Ask if it is possible to recall the transfer

Speak with their cybersecurity department: Brief them on the incident and ask for their intervention. They can contact their counterparts in the foreign bank to have them prevent the funds from being withdrawn or transferred elsewhere.

Inform them off all the facts related to the incident as soon as possible

In the U.S., the local FBI office is the place to start. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network may be able to return or freeze the funds. When contacting law enforcement, identify your incident as “BEC”, provide a brief description of the incident, and consider providing the following financial information:

  • Originating Name
  • Originating Location
  • Originating Bank Name
  • Originating Bank Account Number
  • Recipient Name
  • Recipient Bank Name
  • Recipient Bank Account Number
  • Recipient Bank Location (if available)
  • Intermediary Bank Name (if available)
  • SWIFT Number
  • Date
  • Amount of Transaction
  • Additional Information (if available) - including “FFC”- For Further Credit; “FAV” – In Favor Of:

Visit the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov to file your complaint. Victims should always file a complaint regardless of dollar loss or timing of incident and in addition to the financial information above, provide the following:

  • IP and/or email address of fraudulent email
  • Date and time of incidents
  • Incorrectly formatted invoices or letterheads
  • Requests for secrecy or immediate action
  • Unusual timing, requests, or wording of the fraudulent phone calls or emails
  • Phone numbers of the fraudulent phone calls
  • Description of any phone contact to include frequency and timing of calls
  • Foreign accents of the callers
  • Poorly worded or grammatically incorrect emails
  • Reports of any previous email phishing activity

Call an emergency meeting to brief the board and senior management on the incident, steps taken and further actions to be carried out.

Have IT investigate the breach to find the attack vector. If an executive’s email has been hacked, take immediate action to recover control of that account such as changing the password.

But don’t stop there, the likelihood is that the organization has been further infiltrated and other accounts have been compromised. Have them run the gamut of detection technologies to find any and all malware that may be lurking to strike again.

If the organization was breached, it highlights deficiencies in existing technology safeguards. These will prove harder for IT to spot. So bring in outside help to detect any area of intrusion that IT may have missed.

The goal is to eliminate any and all malware that may be buried in existing systems. The bad guys are inside. The organization isn’t safe until the attack vector is isolated and all traces of the attack have been eradicated. This is no easy task.

Make sure your cybersecurity insurance covers CEO Fraud: Less than 4% of fraudulently transferred funds are recovered, so it's a good idea to make sure you have the proper insurance in place. While many organizations have taken out cyber-insurance, not all are specifically covered in the event of CEO fraud. This is a grey area in insurance and many refuse to pay up. Despite the presence of a specific cyber insurance policy, the unfortunate fact is that no hardware or software was hacked. It was the human that was hacked instead.

Difference between financial instruments and email fraud: Insurance companies distinguish between these two and that's where gray areas come in. Financial instruments can be defined as monetary contracts between parties such as cash (currency), evidence of an ownership interest in an entity (share), or a contractual right to receive or deliver cash (bond). However, CEO fraud is often categorized as being purely an email fraud and not a financial instrument fraud. In other words, it is being regarded in many cases as a matter of internal negligence or email impersonation as opposed to being a financial instrument matter.

That said, there are dozens of carriers in the market providing up to $300 million in limits. Coverage extensions have developed to include both the third-party liability and first-party cost and expenses associated with a data breach or cyber-attack.

For such an incident to happen, violations of existing policy are likely to be in evidence. Conduct an internal investigation to cover such violations as well as to eliminate any possibility of any collusion with the criminals. Take the appropriate disciplinary action.

When the immediate consequences of the attack have been addressed and full data has been gathered about the attack, draw up a plan that encompasses adding technology and staff training to prevent the same kind of incident from repeating. Be sure to beef up staff awareness training as a vital part of this.

CEO Fraud Prevention Manual

Download The Full CEO Fraud Prevention Manual

CEO fraud is responsible for over $3 billion in losses. Don’t be next victim. This manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.

Click Here To Download The Manual

The Latest In CEO Fraud News



Get the latest about social engineering

Subscribe to CyberheistNews