Skip to main content
ActiSoft Technology

CEO Fraud

CEO Fraud, also known as Business Email Compromise (BEC), is a $26 billion worldwide scam according to the FBI. Find out how you can prevent this type of attack and what to do if you become a victim.

CEO Fraud Prevention Manual

What is CEO Fraud?

CEO Fraud is a scam in which cyber criminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorised bank transfer, or sending out confidential tax information.

This type of scam is called "Business Email Compromise" and defines BEC is defined as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform bank payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorised transfers of funds.”

According to FBI statistics, CEO fraud is now a $26 billion worldwide scam. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses. The scam has been reported in 150 countries. Victim complaints filed with financial sources indicate fraudulent transfers have been sent to banks from roughly 140 countries.

Schedule a Demo

Four Attack Vectors

1. Phishing

Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card providers, delivery firms, law enforcement, and the IRS are a few of the common ones. A phishing campaign typically shoots out emails to huge numbers of users. Most of them are to people who don’t use that bank, for example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.

2. Spear-Phishing

This is a much more focused form of phishing. The cyber criminal has either studied up on the group or has gleaned data from social media sites to con users. A spear phishing email generally goes to one person or a small group of people who use that bank or service. Some form of personalisation is included – perhaps the person’s name, or the name of a client.

3. Executive Whaling

Here, the bad guys target top executives and administrators, typically to siphon off money from accounts or steal confidential data. Personalisation and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.

4. Social Engineering

Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organisational personnel. This can include their contact information, connections, friends, ongoing business deals and more.

5 Common Scenarios

    1. Business working with a foreign supplier: This scam takes advantage of a long-standing bank transfer relationship with a supplier, but asks for the funds to be sent to a different account. 
    2. Business receiving or initiating a bank transfer request: By compromising and/or spoofing the email accounts of top executives, another employee receives a message to transfer funds somewhere, or a financial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address. The legal sector is targeted in what is called 'Friday Afternoon Fraud' where the criminals try to divert cash transfers from house purchases/sales.
    3. Business contacts receiving fraudulent correspondence: By taking over an employee’s email account and sending invoices out to company suppliers, money is transferred to bogus accounts. 
    4. Executive and attorney impersonation: The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters. 
    5. Data theft: Fraudulent emails request either all salary, tax information or a company list of personally identifiable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, accounts, auditing departments or anyone who the cyber criminals believe will be helpful.

Who Are The Main Targets?

The label of this category of cyber crime may be CEO fraud, but that doesn’t mean the CEO is always the one in a criminal’s crosshairs. There are at least four other groups of employees considered valuable targets given their roles and access to funds/information:

Finance

The finance department is especially vulnerable in companies that regularly engage in large wire transfers. All too often, sloppy internal policies only demand an email from the CEO or other senior person to initiate the transfer. Cyber criminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. They mirror the usual wire transfer authorisation protocols, hijack a relevant email account and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorised to transfer funds.

HR

Human Resources represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organisation, manages the employee database and is in charge of recruitment. As such, a major function is to open CV's from thousands of potential applicants. All the cyber criminals need to do is include spyware inside a CV and they can surreptitiously begin their early data gathering activities. In addition, tax and PII scams have become more commonplace. HR receives requests from spoofed emails and ends up sending employee information such as National Insurance numbers and employee email addresses to criminal organisations.

Executive Team

Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority. If their email accounts are hacked, it generally provides cyber criminals access to all kinds of confidential information, not to mention intelligence on the type of deals that may be ongoing. Thus executive accounts must receive particular attention from a security perspective.

IT

The IT manager and IT personnel with authority over access controls, password management and email accounts are further high-value targets. If their credentials can be hacked, they gain entry to every part of the organisation. See we are important!

Technology v The Human Firewall

Most efforts towards risk mitigation concentrate on technology. However, these technology safeguards must be supported by what is known as the human firewall. Regardless of how well the defence perimeter is designed the bad guys will always find a way in. They know that employees are the weakest link in any IT system. Thus, cyber criminals continue to rely on phishing and other tricks from the social engineering playbook. The following is a MINIMUM of what to have in place to protect yourself:

  • Endpoint Protection
  • Email Secure Gateway
  • Web Protection
  • Firewall
  • Two-Factor Authentication
  • Fully tried and tested backups!

Take a look at our Security Bundles, or our individual Products, they can be Managed or Unmanaged

  • Employees can be the easiest target
  • Train and educate your users on cyber threats
  • Everyone needs to be able to spot a phishing email
  • Regularly test users with phishing email to keep them up to date
  • New-school security awareness training is the way to create your own human firewall

Eight Steps To Mitigate Your Risk

Many of the preventative actions go hand-in-hand to create an effective mitigation program

Identify Your High-Risk Users

These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas including: 

    • Review social/public profiles for job duties/descriptions, hierarchical information, out of office detail, or any other sensitive corporate data
    • Identify any publicly available email addresses and lists of connections
Set a Security Policy

Every organisation should set security policy, review it regularly for gaps, publish it, review it again and make sure employees follow it. It should include such things as:

    • Not opening attachments or clicking on links from an unknown source
    • Not using USB drives on office computers
    • Password management policy (no reusing passwords, no Post-it notes on screens as password reminders, no sharing of passwords, etc.)
    • Required security training for all employees
    • Review policy on WiFi access. Include contractors and partners as part of this if they need wireless access when on site.
    • Ensure security levels are maintained when outside of the corporate environment.


Have a solid bank transfer policy: It should never be possible for a cyber criminal to hijack a corporate email account and convince someone to transfer a large sum immediately. Policy should limit such transactions to relatively small amounts. Anything beyond that threshold must require further authorisations. It is best practice to have multi-tier approval on approval of Purchase Invoices and Bank Payments.

Confidential information: When it comes to Intellectual Property or employee records, policy should determine a chain of approval before such information is released.

Technical Controls

    • Email secure gateway
    • Two-factor authentication
    • Automated password and user ID policy enforcement
    • Comprehensive access and password management
    • Allow or deny external traffic
    • Patch/update of all IT and security systems
    • Manage access and permission levels for all employees, use the Least Privilege best practice
    • Review, regularly, existing technical controls and take action to plug any gaps
    • And more!
Develop Standard Procedures

IT should have measures in place to:

    • Block sites known to spread ransomware
    • Keep software patches and virus signature files up-to-date
    • Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines
    • Conduct regular penetration tests on WiFi and other networks to see just how easy it is to gain entry
    • Domain Spoof Protection
    • Create intrusion detection system rules that flag emails with extensions that are similar to company emails

Recommended company procedures include:

    • Make staff study security policy and enforce this 
    • Establish how executive leadership is to be informed about cyber-threats and their resolution;
    • Establish a schedule for the testing of the cyber-incident response plan
    • Register as many as possible company domains that are slightly different than the actual company domain
Cyber Risk and Mitigation Planning
    • Develop a comprehensive cyber incident response plan and test it regularly. Augment the plan based on results.
    • Executive leadership must be well informed about the current level of risk and its potential business impact.
    • Management must know the volume of cyber incidents detected each week and of what type.
    • Understand what information you need to protect: identify the corporate “crown jewels,” how to protect it and who has access.
    • Policy should be established as to thresholds and types of incident that require reporting to management
    • Cyber-risk MUST be added to existing risk management and governance processes.
    • Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
    • Consider obtaining comprehensive cyber security insurance that covers various types of data breaches.

*Note: Normally human error like CEO fraud is NOT covered by cyber security insurance.

Continuous Training For All Users

No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger, so it should be a key aspect of your prevention strategy.

  • Start by training staff on security policy. 
  • Create a simple handbook on the basics of security to augment the training.
  • Training should include reminders to never insert USB drives from outside devices into work machines.
  • Training should also review password management and best practices.
  • Train users on how to identify and deal with phishing attacks with new-school security awareness training
  • Implement a reporting system for suspected phishing emails such as the Phish Alert Button
  • Continue security training regularly to keep it top of mind
  • Frequently phish your users to keep awareness up

Phishing demands its own training and instruction, as it represents one of the biggest dangers. Let users know that hovering over email addresses and links in messages shows the actual email address or destination URL. Just because it says “Bank of America,” or “IT department” with all the right logos doesn’t mean it’s from that source. Add further instruction not to open unknown file types, click on links, or open attachments from unknown people or entities. Coach them into a suspicious frame of mind regarding requests to send in their passwords or account details. If, for instance, educating a student body in this manner isn’t feasible, put them on a separate network and severely restrict their access to sensitive data.

Security awareness training is strongly recommended. The best security awareness training programs baseline click rates on phishing emails and harness user education to bring that number down. Don't expect a 0% click rate though. Good employee education can reduce phishing success significantly, but there is always someone who doesn’t pay attention, is in a hurry that day, or is simply outsmarted by a very clever cyber criminal.

Continuous Simulated Phishing

  • Run an initial phishing simulation campaign to establish a baseline percentage of which users are phish-prone.
  • Continue simulated phishing attacks at least once a month, but twice is better.
  • Once users understand that they will be tested on a regular basis, and that there are repercussions for repeated failures, behavior changes. They develop a less trusting attitude and get much better at spotting a scam email.
  • Randomise email content and times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others. 
Stay Aware Of Red Flags

Security awareness training should include teaching people to watch out for red flags. Here are the most common things to watch out for:

  • Awkward wordings and misspellings
  • Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
  • Spoofed email addresses and URLs that are very close to actual corporate addresses, but only slightly different
  • Sudden urgency or time-sensitive issues
  • Phrases such as “code to admin expenses,” “urgent bank transfer,” “urgent invoice payment” and “new account information” are often used.
BONUS! Backup!
  • Make sure you backup your data, it will get you out of a hole is all else fails.
  • Make sure you check your backup reports.
  • Test your backups, regularly to make sure they will get you out of a hole!
  • Perform disaster recovery scenarios and document the process.
  • Ensure that more than one person knows how to recover data in the event of a disaster.
  • Make sure that you have an offline and offsite copy.