CEO Fraud Attacks

CEO Fraud, also known as Business Email Compromise, is a $26 billion scam according to the FBI. Find out how you can prevent this type of attack and what to do if you become a victim.

What is CEO Fraud?

CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information.

The FBI calls this type of scam "Business Email Compromise" and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

According to FBI statistics, CEO fraud is now a $26 billion scam. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to banks from roughly 140 countries.

The FBI reported CEO fraud and other cyber crimes, including ransomware and other online scams, together, were responsible for over $4.1 billion in 2020 alone, with reported cases of cyber crime rising from 467,000 to over 791,000 (a 69% increase), between 2019 and 2020. Clearly, CEO fraud and other forms of cyber crime are not going away and are only getting worse.

 

Top Four Attack Methods

Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how cybercriminals do it: 

1. Phishing

Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card providers, delivery firms, law enforcement, and the IRS are a few of the common ones. A phishing campaign typically shoots out emails to huge numbers of users. Most of them are to people who don’t use that bank, for example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.

2. Spear Phishing

This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. A spear phishing email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client.

3. Executive Whaling

Here, cybercriminals target top executives and administrators, typically to siphon off money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.

4. Social Engineering

Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

Find out if you can be spoofed. Sign up now for your free Domain Spoof Test! 

How Cybercriminals Attack

Sign Up For Your Free Domain Spoof Test

CEOFraudXL

5 Common Attack Scenarios

  1. Business working with a foreign supplier: This scam takes advantage of a long-standing wire-transfer relationship with a supplier, but asks for the funds to be sent to a different account. 
  2. Business receiving or initiating a wire transfer request: By compromising and/or spoofing the email accounts of top executives, another employee receives a message to transfer funds somewhere, or a financial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address. 
  3. Business contacts receiving fraudulent correspondence: By taking over an employee’s email account and sending invoices out to company suppliers, money is transferred to bogus accounts. 
  4. Executive and attorney impersonation: The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters. 
  5. Data theft: Fraudulent emails request either all wage or tax statement (W-2) forms or a company list of personally identifiable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, accounts or auditing departments.

CEO Fraud Targets

The CEO isn't always the one in a criminal’s crosshairs. There are four other groups of employees considered valuable targets given their roles and access to funds/information:

Finance

The finance department is especially vulnerable in companies that regularly engage in large wire transfers. All too often, sloppy internal policies only demand an email from the CEO or other senior person to initiate the transfer. Cybercriminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. They mirror the usual wire transfer authorization protocols, hijack a relevant email account and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorized to transfer funds.

HR

Human Resources represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organization, manages the employee database and is in charge of recruitment. As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering activities. In addition, W2 and PII scams have become more commonplace. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email addresses to criminal organizations.

Executive Team

Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority. If their email accounts are hacked, it generally provides cybercriminals access to all kinds of confidential information, not to mention intelligence on the type of deals that may be ongoing. Thus executive accounts must receive particular attention from a security perspective.

IT

The IT manager and IT personnel with authority over access controls, password management and email accounts are further high-value targets. If their credentials can be hacked, they gain entry to every part of the organization.

DST

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby. Find out today if your domain can be spoofed. 

Board Oversight and Fiduciary Duty

Virus and malware defense has long been viewed as a purely IT problem. Some organizations do appoint Chief Information Security Officers (CISO), however information security is often viewed as a challenge that lies well below board or C-level attention.

The events of recent years have highlighted the danger of this viewpoint. With the FBI warning corporations that they are at risk and so many high-profile victims in the news, organizations, led by their CEO, must integrate cyber risk management into day-to-day operations.

Additionally, companies must take reasonable measures to prevent cyber-incidents and mitigate the impact of inevitable breaches. The concept of acting “reasonably” is used in many state and federal laws in the United States, Australia, and other countries. Blaming something on IT or a member of staff is no defense. CEOs are responsible to restore normal operations after a data breach and ensure that company assets and the company's reputation are protected. Failure to do so can open the door to legal action.

Let’s put it in these terms: a cyber breach could potentially cause the loss of a bid on a large contract, could compromise intellectual property (IP) and loss of revenue, to name just a few of the repercussions. That places cybersecurity firmly at the top of the organizational chart, similar to all other forms of corporate risk.

High-Profile Cases

 

 2015

January 2015

Xoom - Internet money transfer service, San Francisco, CA

LOST:

  $30.8 million

RECOVERED:

  $0

RESULT:

 The CFO resigned


August 2015

Ubiquiti Networks - Computer networking company, Silicon Valley

LOST:

  $46.7 million

RECOVERED:

  $15.0 million

RESULT:

Unknown

"People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls. Technology is critical, but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics."– Kevin Mitnick

Webinars22-1

On-Demand Webinar: Latest Business Email Compromise Scams—Don't Be the Next Victim

Cybercriminals are getting very creative, impersonating an executive in your organization and asking for financial reports or they ask employees in payroll to make changes to bank accounts. According to the FBI, their efforts have earned them an estimated $12 billion through Business Email Compromise also known as CEO fraud scams. Defending against these types of phishing attacks is possible by layering technical and non-technical controls. 

Technology vs The Human Firewall

Most efforts towards risk mitigation concentrate on technology. However, these technology safeguards must be supported by what is known as the human firewall. Regardless of how well the defense perimeter is designed, threat actors will always find a way in. They know that employees are the weakest link in any IT system. Thus, cybercriminals continue to rely on phishing and other tricks from the social engineering playbook. The following is a MINIMUM of what to have in place to protect yourself:

Technology

  • Antivirus
  • Antimalware
  • Intrusion detection/protection
  • Firewalls
  • Email Filters
  • Two-factor authentication
  • Weapons-grade backups

The Human Firewall

  • Employees are the weak link in any IT department
  • Staff needs to be regularly educated on cyber-threats
  • Each user needs to be able to spot phishing emails from a mile away
  • Regularly testing users with phishing emails keeps them on their toes
  • New-school security awareness training is the way to manage the human firewall problem

Eight Prevention Steps

Many steps must dovetail closely together as part of an effective prevention program:
1. Identify Your High-Risk Users

These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas including: 

  • Review social/public profiles for job duties/descriptions, hierarchical information, out of office detail, or any other sensitive corporate data
  • Identify any publicly available email addresses and lists of connections
2. Institute Technical Controls
  • Email filtering
  • Two-factor authentication
  • Automated password and user ID policy enforcement
  • Comprehensive access and password management
  • Whitelist or blacklist external traffic
  • Patch/update of all IT and security systems
  • Manage access and permission levels for all employees
  • Review existing technical controls and take action to plug any gaps
3. Set A Security Policy

Every organization should set security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:

  • Not opening attachments or clicking on links from an unknown source
  • Not using USB drives on office computers
  • Password management policy (no reusing passwords, no Post-it notes on screens as password reminders, etc.)
  • Required security training for all employees
  • Review policy on WiFi access. Include contractors and partners as part of this if they need wireless access when on site.

Have a solid wire transfer policy: It should never be possible for a cybercriminal to hijack a corporate email account and convince someone to transfer a large sum immediately. Policy should limit such transactions to relatively small amounts. Anything beyond that threshold must require further authorizations.

Confidential information: When it comes to IP or employee records, policy should determine a chain of approval before such information is released.

4. Develop Standard Procedures

IT should have measures in place to:

  • Block sites known to spread ransomware
  • Keep software patches and virus signature files up-to-date
  • Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines
  • Conduct regular penetration tests on WiFi and other networks to see just how easy it is to gain entry
  • Domain Spoof Protection
  • Create intrusion detection system rules that flag emails with extensions that are similar to company emails

Recommended company procedures include:

  • Make staff study security policy and enforce this 
  • Establish how executive leadership is to be informed about cyber-threats and their resolution;
  • Establish a schedule for the testing of the cyber-incident response plan
  • Register as many as possible company domains that are slightly different than the actual company domain
5. Cyber-Risk Planning
  • Develop a comprehensive cyber incident response plan and test it regularly. Augment the plan based on results.
  • Executive leadership must be well informed about the current level of risk and its potential business impact.
  • Management must know the volume of cyber incidents detected each week and of what type.
  • Understand what information you need to protect: identify the corporate “crown jewels,” how to protect it and who has access.
  • Policy should be established as to thresholds and types of incident that require reporting to management
  • Cyber-risk MUST be added to existing risk management and governance processes.
  • Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
  • Consider obtaining comprehensive cyber security insurance that covers various types of data breaches.

*Note: Normally human error like CEO fraud is NOT covered by cyber security insurance.

6. Training For All Users

No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger so start here:

  • Train users on the basics of cyber and email security
  • Train users on how to identify and deal with phishing attacks with new-school security awareness training
  • Implement a reporting system for suspected phishing emails such as the Phish Alert Button
  • Continue security training regularly to keep it top of mind
  • Frequently phish your users to keep awareness up

The best training programs baseline click rates on phishing emails and harness user education to bring that number down. Don't expect a 0% click rate though. Good employee education can reduce phishing success significantly, but there is always someone who doesn’t pay attention, is in a hurry that day, or is simply outsmarted by a very clever cybercriminal.

7. Continuous Simulated Phishing
  • Run an initial phishing simulation campaign to establish a baseline percentage of which users are phish-prone.
  • Continue simulated phishing attacks at least once a month, but twice is better.
  • Once users understand that they will be tested on a regular basis, and that there are repercussions for repeated failures, behavior changes. They develop a less trusting attitude and get much better at spotting a scam email.
  • Randomize email content and times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others. 
8. Stay Aware of Red Flags

Security awareness training should include teaching people to watch out for red flags. Here are the most common things to watch out for:

  • Awkward wordings and misspellings
  • Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
  • Spoofed email addresses and URLs that are very close to actual corporate addresses, but only slightly different
  • Sudden urgency or time-sensitive issues
  • Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information” are often used, according to the FBI

Do your users know when to NOT click?

Did you know that 91% of successful data breaches started with a spear phishing attack? Find out what percentage of your employees are Phish-prone™ with your free phishing security test. Find out which percentage of your employees are phish prone today.

Why? If you don't do it yourself, cybercriminals will. Take the first step now to significantly improve your organization’s defenses against cybercrime.

Ten Victim Response Steps

Should an incident take place, there are immediate steps you need to take:
1. Contact your bank immediately
  • Inform them of the wire transfer in question
  • Give them full details of the amount, the account destination and any other pertinent details
  • Ask if it is possible to recall the transfer

Speak with their cybersecurity department: Brief them on the incident and ask for their intervention. They can contact their counterparts in the foreign bank to have them prevent the funds from being withdrawn or transferred elsewhere.

2. Contact your attorneys

Inform them off all the facts related to the incident as soon as possible

3. Contact law enforcement

In the U.S., the local FBI office is the place to start. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network may be able to return or freeze the funds. When contacting law enforcement, identify your incident as “BEC”, provide a brief description of the incident, and consider providing the following financial information:

  • Originating Name
  • Originating Location
  • Originating Bank Name
  • Originating Bank Account Number
  • Recipient Name
  • Recipient Bank Name
  • Recipient Bank Account Number
  • Recipient Bank Location (if available)
  • Intermediary Bank Name (if available)
  • SWIFT Number
  • Date
  • Amount of Transaction
  • Additional Information (if available) - including “FFC”- For Further Credit; “FAV” – In Favor Of:
4. File a complaint

Visit the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov to file your complaint. Victims should always file a complaint regardless of dollar loss or timing of incident and in addition to the financial information above, provide the following:

  • IP and/or email address of fraudulent email
  • Date and time of incidents
  • Incorrectly formatted invoices or letterheads
  • Requests for secrecy or immediate action
  • Unusual timing, requests, or wording of the fraudulent phone calls or emails
  • Phone numbers of the fraudulent phone calls
  • Description of any phone contact to include frequency and timing of calls
  • Foreign accents of the callers
  • Poorly worded or grammatically incorrect emails
  • Reports of any previous email phishing activity
5. Brief the board and senior management

Call an emergency meeting to brief the board and senior management on the incident, steps taken and further actions to be carried out.

 
6. Conduct IT forensics

Have IT investigate the breach to find the attack vector. If an executive’s email has been hacked, take immediate action to recover control of that account such as changing the password.

But don’t stop there, the likelihood is that the organization has been further infiltrated and other accounts have been compromised. Have them run the gamut of detection technologies to find any and all malware that may be lurking to strike again.

7. Bring in outside security specialists

If the organization was breached, it highlights deficiencies in existing technology safeguards. These will prove harder for IT to spot. So bring in outside help to detect any area of intrusion that IT may have missed.

The goal is to eliminate any and all malware that may be buried in existing systems. Cybercriminals are inside. The organization isn’t safe until the attack vector is isolated and all traces of the attack have been eradicated. This is no easy task.

8. Contact your insurance company

Make sure your cybersecurity insurance covers CEO Fraud: Less than 4% of fraudulently transferred funds are recovered, so it's a good idea to make sure you have the proper insurance in place. While many organizations have taken out cyber-insurance, not all are specifically covered in the event of CEO fraud. This is a grey area in insurance and many refuse to pay up. Despite the presence of a specific cyber insurance policy, the unfortunate fact is that no hardware or software was hacked. It was the human that was hacked instead.

Difference between financial instruments and email fraud: Insurance companies distinguish between these two and that's where gray areas come in. Financial instruments can be defined as monetary contracts between parties such as cash (currency), evidence of an ownership interest in an entity (share), or a contractual right to receive or deliver cash (bond). However, CEO fraud is often categorized as being purely an email fraud and not a financial instrument fraud. In other words, it is being regarded in many cases as a matter of internal negligence or email impersonation as opposed to being a financial instrument matter.

That said, there are dozens of carriers in the market providing up to $300 million in limits. Coverage extensions have developed to include both the third-party liability and first-party cost and expenses associated with a data breach or cyber-attack.

9. Isolate security policy violations
For such an incident to happen, violations of existing policy are likely to be in evidence. Conduct an internal investigation to cover such violations as well as to eliminate any possibility of any collusion with the criminals. Take the appropriate disciplinary action.
10. Draw up a plan to remedy security deficiencies
When the immediate consequences of the attack have been addressed and full data has been gathered about the attack, draw up a plan that encompasses adding technology and staff training to prevent the same kind of incident from repeating. Be sure to beef up staff awareness training as a vital part of this.

Download The Full CEO Fraud Prevention Manual

CEO fraud has been responsible for more than $26 billion in losses over the last few years, with $1.8 billion in losses recorded in 2020 alone. This manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.