Imagine sitting in your office (or at home, more likely, considering the current situation), doing your job and drinking a hot beverage, when you suddenly get an email from your superior requesting an urgent transfer of money needed to close a deal with an important client. Would you immediately do it, or would you become suspicious? I would suggest being pessimistic, as a very particular scam, appropriately called ‘CEO fraud,’ has recently grown in popularity. It can cause a lot of damage to you and your company.
What is CEO fraud?
As the name suggests, and as you might have concluded from reading the previous hypothetical situation, CEO fraud is a type of spearphishing attack that targets the company’s members that directly connect to the company’s money, the accounting or finance teams. Cybercriminals impersonate senior management or executives for the victims to believe they need to send money immediately to help their company. Of course, the money is transferred to the account that belongs to cybercriminals instead.
It might seem like a scam no one could ever fall for, but, of course, the situation is not that simple. Many people will not suspect anything in the first place if the email seems like it is coming from their company, and the people behind the scam will do their best to make everything seem believable.
We often think of scams as super obvious, such as the ‘Nigerian prince’ scam, a meme on the internet for ages, but the scammers are becoming more professional.
For example, for a CEO fraud, the criminals might research the company to find out the important people’s names. The information is usually public, quite often on the company’s site or social media. It is practically identity theft, just on a lower scale. After that, they will probably make a fake email that will seem authentic at first glance, but they will change a letter or two, so the difference will not be noticeable.
Another option is email spoofing, which means that the email sender will forge the email header’s ‘From’ address, making it seem as if the email was sent from a legitimate address even though it is not. In either case, whatever reply you send will be going to the original sender and not the person they are pretending to be.
When it comes to the email contents, scammers will play on the psychology card, using social engineering methods to convince people to send them money. Social engineering, also called ‘human hacking,’ is a technique in which people are manipulated into giving away confidential info or performing actions they might not want to do.
It has also been described this way: ‘any act that influences a person to take any action may or may not be in their best interests.’ Sending a company’s money to a scammer is not in an employee’s best interest. The scammers will also count on the person not wanting to disappoint a person they might be looking up to and being proud for being chosen for a unique and essential task. Additionally, they will do their best to make everything seem urgent, so the victim does not have the time to check if the situation is real or ask many questions.
Unfortunately, CEO fraud can be very successful. For example, in 2018, the city of Ottawa, in Canada, suffered from this type of scam as they managed to make the city treasurer send them over CA$100,000. A few days later, they tried the same thing again, this time asking for even more money, but, by pure luck, the person they were pretending to be was with the treasurer when they received the email, so the scam was discovered. However, the chance is not something that can be counted on, so what are some ways that can be used to protect yourself and your company from the dangers of CEO fraud?
How to protect your organization
Disabling the option of a single person directly sending the company’s money to anyone is a good start. If multiple people have to confirm every transfer, the scam will have much less chance to succeed. A company can also make clear rules regarding any potential money transfers, so the employees know that any email asking them to break those rules is not trusted.
Additionally, the best way to prevent any scam is by educating people about it. Regarding this type of fraud, it is a priority to train people who are the most likely targets, such as the already mentioned members of accounting, finance, and similar money related departments. Of course, this does not mean the other employees should not be trained too, as the company will always be more secure if everyone is aware of any potential dangers.