It’s fair to say that if the CEO asks you to do a task at work – you don’t give it much thought. And it is generally a safe way to stay on their good side – maybe even favoured. However, our “Don’t ask questions, just get the job done” attitude is ripe for exploitation by cybercriminals. CEO impersonation attacks have become prevalent in recent years; one could even say it’s a favourite for cybercriminals because of the potential of a huge payday. Almost $2 billion was lost to CEO fraud in 2020.
But what exactly is CEO fraud, how does it work and how can you defend your organisation against these scams?
CEO impersonation: The boss needs your help and it’s urgent!
“CEO fraud”, also known as “Business Email Compromise” (BEC), is when a social engineer impersonates a CEO, CFO or other C-level executive. The scammer urges employees with access to sensitive – often financial – information to divulge that information or even take actions like illicit wire transfers.
What is important to understand is that executives themselves are not usually attacked outright. Attackers like to move laterally. The first person to be approached in a system is almost never the most valuable. It is the most accessible person. Targets are typically mid-level staff members in the financial, accounts payable or human resources department. Then attacker moves through the victim’s social and technical network to get to higher-value targets such as executive assistants, people who handle wire transfers, and people sitting inside of IT.
CEO fraud scammers use a highly targeted form of spear-phishing. They profile their potential victim, learning everything they can about the CEO, CFO etc. from the organization’s website and social media sites. They may check LinkedIn to find out who is responsible for processing payments, and they can check Facebook, Instagram, or Twitter to learn when key authorizers are on holidays, leaving their backup as the victim. It should be noted that executive location is a trigger for many attacks. When an attack occurs, it may seem like it came out of nowhere, but in most cases the social engineer may have tracked planned executive business or leisure travel for months.
Before social media avenues were available research on CEOs would have been a lot harder to unearth. Websites – especially social media sites – not only makes the whole process more efficient but also reduces the risk to the criminal.
Once they have the information, attackers craft an email that appears to come from the high-level executive and uses information learned about the target to make the email seem authentic. They create a sense of urgency to incite the employee to act quickly. The effect is that employees are often inclined to act without double checking to make sure the request is legitimate. Plus, the higher the executive is in the company, the more assured is the employee response. Who wants to take the risk of disappointing an executive who trusts you?
CEO impersonation: A costly business
Cybercriminals know that everyone has a full inbox, making it easy to catch people off-guard and convince them to respond. One example of a CEO fraud attack that took place back in November 2017 (see story on Trustwave), successfully ripped off a female employee, stealing thousands of dollars from her organization. Using carefully drafted words a casual tone, the attacker impersonated her CEO, asking whether she can handle a pending international payment on an urgent basis. “The amount is for $30,120. I am guessing it is very late already for the transfer, or can you still get it done today?” The attacker made sure not to press the victim to avoid any suspicions and of course was highly successful in their deception.
In 2018, the Canadian city of Ottawa became a victim of impersonation attack. The city treasurer, Marian Simulik, received a scam email and wired over CA$100,000 to fraudsters. A few days later, she received another fraudulent email, asking to wire another CA$150,000. Luckily, Simulik received the second email while in the same room as City Manager Steve Kanellakos, who the fraudsters were impersonating. She asked him if the request was legitimate, which blew the lid off the scam.
These are only two examples from an endless list of CEO fraud attacks. According to TEISS, impersonation attacks targeting businesses of all sizes across the world rose by almost 70% in 2019, compared to the previous year. This resulted in more than $1.7 billion in losses in the US alone. With the advent of the pandemic, CEO fraud has risen sharply due to remote working. Employees have less opportunities for a face-to-face chat with their boss over email requests. The result is that email scammers have impersonated over 7000 CEOs since the pandemic began. In fact, the FBI claims that more money was lost this year through BEC attacks than in any other year since the bureau began tracking such crimes.
CEO impersonation: What can be done to protect your organization
The first corporate security reflex is to try to minimize the visibility of the CEO. Unfortunately, the CEO is typically a public figure and the face of the company, so those sorts of measures are rarely effective. As it is hard to minimize the visibility of CEO travel plans, corporate policy should include a vigilant process for the confirmation of CEO directives or even power delegation during periods of CEO travel.
In truth, corporate education about CEO fraud is the most important defense. Employees should not blindly accept any direct change request concerning the transfer of funds or accounts solely because of an email they received. They should be encouraged to verify such requests without fear of reprimand.
And while email is often the key avenue for illicit requests, that may be the last step in a larger scheme that has leveraged the employee’s social media presence. As has been touched upon in previous posts, social media content can be foothold for cybercriminals. To protect both employees and the business itself, organizations must take a holistic approach to protecting the corporate and private digital lives of their employees. Vigilance pays off when it comes to CEO fraud.