July 31, 2017
CEO Fraud is Killing Companies – 5 Steps to Stopping it
CEO Fraud is defined as scam in which cybercriminals spoof company email accounts and impersonate executives using spear phishing to try and fool someone in your company (an employee in accounting, finance or HR) into executing unauthorized wire transfers, payments, or sending confidential information to outside parties.
We came up with 5 steps to preventing CEO fraud … READ ON.
CEO Fraud & Spear Phishing Statistics
CEO Fraud is Now a $5.3 Billion Business, up from $3.1B in 2016. The FBI said that about 25% of U.S. victims respond to CEO Fraud by wiring money to fraudsters. While these numbers are staggering, it is estimated that the FBI only is aware of 20% of the total, so the actual number could be 5 times this amount. The growth in these type of attacks staggering with sixty one percent (61%) of companies reporting spear phishing attacks a core component of CEO fraud.
Most victims are in the US (all 50 states), but companies in 100 other countries have also reported incidents. Unless the fraud is spotted within 24 hours, the chances of recovery are small.
This attack affects companies of all size. I personally know of several companies that have either sent money or personal data to criminals as part of CEO fraud schemes. The U.S. Department of Justice said that it had charged a Lithuanian man with orchestrating a fraudulent email scheme that had tricked agents and employees of Facebook and Google into wiring more than $100 million to overseas bank accounts. Internet cybercrime gangs have also used spoofed emails to trick HR departments into releasing W-2 forms.
Here is how CEO fraud is perpetrated?
The FBI calls this type of scam “Business Email Compromise” and defines BEC as “a sophisticated spear phishing scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
Various methods are used to gather information such as where money or private information is, how to access it, and who is in the chain-of-access in your company so that it can be used for financial gain.
CEO Fraud Attack Methods
- Targeted Spear phishing – Emails, Texting, and phone calls to executives, accounting, financial, HR departments. Designed to get information about bank, or financial accounts, account numbers, personal private information or passwords. These emails impersonate someone in power to convince others to do something like wire transfer funds.
- Email/Identity Spoofing – Allows impersonation of other people’s identifies to illicit wire transfers or other unauthorized activities.
- Social Engineering – Acquiring information from public sources such as social Websites, your Website, news, Web posts and other sources to get access to company specific data to enable identity spoofing.
- Hacking – Stealing of company specific or private data that allows access to bank account or financial data.
Five Different Scenarios for Extorting Money from Companies
- Business Working with a Foreign Supplier: A business that typically has a longstanding relationship with a supplier is requested to wire funds for an invoice payment to an alternate, fraudulent account.
- Business Executive Receiving or Initiating a Request for a Wire Transfer: The e-mail accounts of high-level business executives (Chief Financial Officer, Chief Technology Officer, etc.) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is typically responsible for processing these requests.
- Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail: An employee of a business has his or her personal e-mail hacked. This personal e-mail may be used for both personal and business communications. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee’s personal e-mail to multiple vendors identified from this employee’s contact list.
- Business Executive and Attorney Impersonation: Victims report being contacted by fraudsters who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters.
- Data Theft: Fraudulent requests are sent utilizing a business executive’s compromised e-mail. The entities in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipients of the fraudulent request for W-2 and/or PII.
5 Steps to Preventing CEO Fraud
Here are 5 steps that can serious reduce your chances of CEO fraud.
a Install strong security solutions for:
- Email Security (Including Anti-phishing, Spear phishing, Data loss prevention, Spam, Malware)
- Web security (Use Advanced endpoint security)
- Gateway security (Firewalls with advanced Web and Anti-malware security)
a Be careful what you post to public Web accounts (that included Facebook, LinkedIn, Websites, forums etc)
a Implement a Security Awareness Training (SAT) and phishing simulation solution
a Implement 2-factor authentication & Internal Security Procedures for:
- Email access (such as Office 365)
- Financial transactions (both online and adding internal processes)
- Implement digital signatures for external transactions
- Develop a process to verify everything that is suspicious directly with the source
a Register company domains that are similar to yours to prevent domain spoofing
Phishing, Spear Phishing and CEO Fraud are serious problems for all companies. It can happen to anyone. Make sure that you partner with cybersecurity experts to reduce your risk and to get your employees trained. Contact us – we can help.