It’s time to stop talking about data breaches and other cyber incidents as things that just “happen to the other guy.” Here’s a news flash for you. Cyberattacks are happening to you, probably at this very moment. And since the consequences of a successful attack can be very devastating—including millions of dollars of losses, embarrassment in the public eye, ethical problems, top-level executive changes, and costly operational downtime—you need to be concerned about them.
One type of attack you need to start being concerned about is CEO fraud. CEO fraud is defined by the FBI as “a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests. The scam is frequently carried out when a subject compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.”
Let’s try to put that in layman’s terms. CEO fraud is just like business email compromise (BEC) except that it specifically impersonates a CEO. A criminal engaging in this type of fraud has either compromised the email account of the CEO or is spoofing their email account. The person behind these attacks is attempting to use social engineering to trick the recipient into doing what they want. And, as the FBI says, what they want is often a transfer of funds to their account.
CEO fraud is on the rise, making it even more paramount that you start paying attention to it. In 2019 alone, business email compromise and CEO fraud together resulted in over 23,000 complaints to the FBI and a staggering $1.7 billion in losses. Domestic and international losses from this kind of fraud resulted in over $26 in losses in the three years leading up to 2020.
Often, CEO fraud emails will arrive in your inbox in the form of phishing. These are typically high-volume, low-effort emails sent in batches to many recipients. They pretend to be from legitimate, reputable sources. They also request the recipient takes quick action like giving up contact information or clicking a link to resolve a supposed issue. Sometimes, email attacks are more focused than that, with the attacker doing their homework on who you are and what kind of messages you might fall for. This is known as spear phishing. Other times, top-level executives themselves are the recipients in attacks. This is called executive whaling (since the “big fish” are who’s being targeted).
KnowBe4’s CEO Fraud Prevention Manual explains that phishing emails might not lead directly to CEO fraud, but they are still an important piece of the puzzle. This is because phishing attacks are the number one entry for malware and spyware; they are also the top threat action in breaches. An attacker who successfully installs spyware on your computer can bide their time, snooping around and doing their research. After learning about you and your relationships, they can then craft a more convincing email to send to their targets.
Those targets vary widely and span your whole organization. Finance departments and anyone who control funds transfers are particularly attractive to attackers. HR departments, IT departments, and executive teams are all frequent targets as well. If a person has something the attacker finds valuable (control over money, personal information, trade secrets, technical data, etc), they can be a target.
So, how do you avoid being the next victim of CEO fraud? Well, as we mentioned at the start, you are already being targeted by cyber criminals. That’s not meant to scare you; we’re just being realistic—which is exactly how you should approach this type of fraud.
First and foremost, you need to take care of vital security tools and procedures. These include installing or implementing:
- Antivirus and antimalware software
- Intrusion detection and protection
- Email filters
- Mandatory two-factor authentication (2FA)
- Backup and disaster recovery processes, including off-site backups
- Automatic/routine software patching and updating
After these are all taken care of, you can really begin tackling the threat of CEO fraud in earnest. Remember, the above steps represent close to the bare minimum of what you should have for cybersecurity. Email filtering and two-factor authentication (2FA), for example, are a one-two punch against email fraud. The first keeps most if not all phishing attacks from getting to your inbox in the first place; the second ensures that anyone who compromises your credentials has to verify their identity another way. This can stop a large part of the fraud you might see in your inbox dead in its tracks.
Beyond these steps, you need to start taking a broader look at your company as a whole, identifying high risk individuals. As we mentioned, HR and IT departments as well as financial and c-level executives are popular targets. Who does this mean is at risk in your company?
Once you’ve identified at-risk users, be sure to establish several points of authorization, especially for funds transfers. In addition, KnowBe4 recommends that you create minimum time periods before transfers can go through. Since the average time between a phishing attack and a breach is just two minutes, according to Verizon’s 2020 Data Breach Investigations Report. What you do not want is a situation where an attacker can trick a single user into approving a transfer-of-funds request and complete it instantly without further delay or approval. KnowBe4 recommends creating a 24-hour minimum so that there is adequate time for checks and balances.
In addition, you need to create and implement security policies and then make them public to all employees. CEO fraud is not just an IT issue, so it should not be IT’s sole responsibility to prevent it. Top-level management needs to care and plan for it as well. Policy topics that need to be reviewed or created include employees handling email attachments, clicking links from unknown sources, using and storing things on USBs, creating strong passwords, participating in training, and using the WiFi. Wire transfers especially need to be locked down tight.
Another item you and your team need to address is security procedures, not to be confused with policies. Procedures includes such items as blocking internal access to sketchy websites, conducting vulnerability assessments and penetration tests on WiFi and other networks, and—again—really clamping down on wire transfer authorization. Confirmation beyond just an email is needed. Either phone, video, or face-to-face authorization needs to be required for any and all requests for money like this.
Since management needs to take an active role in protecting against CEO fraud, they need to work to reduce risk from the top down. Cyber-risk planning seeks to understand the risks facing the company from their technology, find ways to manage them, and develop a response plan. Cyber incidents will happen; an attack only needs to be successful one time while your security needs to be successful 100% of the time. You can see why breaches happen. It’s just a matter of how you respond to these incidents. Security briefings are a good place to start. You also need to outline in detail what constitutes an incident to get reported to management. Establish thresholds for volume, type of threat, and other categories.
Finally—and this can’t be emphasized enough—you need to be training your employees. This also starts at the top, and it trickles down all the way through the company. It’s one thing to mandate security trainings for the people at the bottom. What they don’t tell you is that CEOs can fall for fraud just as easily as their employees. Everyone makes mistakes. Falling for a phishing attack or a convincing fraudulent email is easier than you might thing. That’s why your c-suite executives need to also be doing the trainings they assign. Again, security trainings—especially those that teach employees how to identify phishing attacks—are essential. As we have seen, phishing attacks are the number one way data breaches happen. They also represent a significant starting point for CEO fraud. Everyone in the company needs to be suspicious of unsuspected emails, and that includes you.