CEO Fraud Is A Growing Risk: Here’s How To Defend Against It
CEO fraud, also known as the Business Email Compromise (BEC) scam, is one of the costliest forms of cybercrime targeting businesses today.
According to the FBI, BEC attacks have caused over $43 billion in business losses since 2016, representing a 65% overall increase. Similar warnings have also been issued by the IRS and the FTC. Some in the cybersecurity community are also concerned that the global crackdown on ransomware attacks could lead to many of those cybercrime gangs switching to BEC scams instead – causing an even bigger surge in these attacks. For these reasons, it’s important that businesses prioritise CEO fraud as a top threat.
What Is CEO Fraud?
CEO fraud, or BEC, usually occurs when a cybercriminal hacks the email account of a high-ranking executive, then uses this person’s account to launch targeted phishing emails (known as “spear-phishing” attacks) on other employees. The attacker will then “social engineer” these employees to steal money or information from the company.
However, these attacks aren’t always limited to executives. In some cases, hackers will take over the email accounts of lower-ranking employees, as well as contractors, vendors or even customers to carry out these scams. In another variation on this threat, hackers may not even have control of the executive’s actual email. They may instead use a technique called “spoofing” to make it look like the email comes from the executive, when in fact it has been sent from a different email altogether.
High-Risk For Businesses
CEO fraud is extremely dangerous to companies because employees are more likely to “do as they are told” and not ask questions when they think they are being contacted by an executive.
Hackers often use CEO fraud to trick an employee into making a large wire transfer that they claim is needed for an important business deal or a vendor invoice. This type of manipulation can easily lead to significant losses for the targeted company, ranging from hundreds of thousands to millions of dollars in a single attack.
Cybercriminals may also use other means to defraud their victims through these attacks. A common tactic is to use gift cards instead of wire transfers since this is easier to navigate and doesn’t raise as many suspicions. The criminal tricks an employee into purchasing a large dollar amount in gift cards, on the pretence of a special company event, then asks them to rub off the numbers/codes on the back and email them. Those cards are immediately converted into cash via the vast cybercriminal network they have.
Not Always About The Money
While CEO fraud is traditionally a financial scam, its high rate of success has convinced other types of hackers to use it as well, including nation-states, espionage actors, ransomware gangs, data breach criminals, hacktivists and saboteurs.
The chief executive’s email is a powerful weapon in the hands of any hacker since it can be used to command almost any employee within the organisation. Therefore, there are numerous ways for an adversary to use this type of phishing attack to cause significant damage inside the company. The full range of threats from this scam runs the gamut, from financial theft to cyber-espionage, ransomware, extortion, doxxing and sabotage.
For example, a hacker could use CEO fraud to manipulate the human resources department into sharing sensitive personnel information that can later be used for identity theft or doxxing. The attacker could also use it to steal valuable intellectual property from the company’s R&D, software development or engineering teams. Likewise, they can target the accounting and legal departments to steal sensitive documents, which might be used for fraud or corporate extortion. They can trick the IT team into sharing the login credentials for key executive accounts. They can manipulate employees into downloading dangerous files that will infect the entire company with malware or ransomware. The risks are virtually endless.
New BEC Tactics Are Emerging
As the name implies, Business Email Compromise has traditionally been limited to email-based phishing attacks. However, that is now starting to change. We are seeing more cybercriminals shift to other communication platforms to carry out CEO fraud scams – and these tactics will only get better over time. For example, the FBI issued a warning earlier this year about a rise in “virtual meeting BEC,” where the attacker creates a fake Zoom, Skype or Microsoft Teams meeting with employees and impersonates an executive, sometimes using a deepfake voice.
Similarly, we have also seen BEC-style scams used in Slack (Electronic Arts suffered a data breach in 2021 this way), messaging apps such as WhatsApp, social media, and SMS. There are also a growing number of malicious attacks in Google Docs. Even calendar invites can be weaponised to spread malware or lead employees to malicious sites.
In today’s hybrid work environment, where many employees are still working remotely and communications via cloud-based digital platforms are the norm, it is easier than ever for a cybercriminal to impersonate an executive to scam other employees.
How CEOs Can Reduce Their Risk
Good cyber hygiene is critical for preventing the most serious form of CEO impersonation – an actual account takeover.
CEOs should have strong, unique passwords for each of their corporate and personal accounts. They should also have multi-factor authentication enabled. It’s also very important to avoid signing into any accounts through links provided via email, text message or other communications, as this is a common tactic hackers use to steal an account.
However, hackers can also hijack certain accounts without the password. They do this by stealing the “session cookies” from the browser, which allows them to log in as the executive. To prevent this attack, executives must have robust anti-malware solutions installed on all of their devices, including their personal devices at home.
How To Harden Your Company Against These Attacks
One of the best defences against CEO fraud is to put in place strong company-wide security policies backed by clear education that make everyone aware of the risks and their responsibilities.
Clear and inflexible policies should exist for all important activities, such as sending a wire transfer (or any large expenditure), sharing sensitive materials or information, or resetting account credentials. For example, more than one executive should be required to authorise a large financial transaction, such as a wire transfer. Multiple authorisations should also be required for requests to share important company or employee information. Encryption should be used for any shared files or documents. Employees should always be required to follow these policies regardless of the circumstances, so they can’t be manipulated by a hacker.
It is also important to reduce the number of people who can interact with C-suite executives and other key figures (like the HR director), through communications whitelisting. This should cover not only email but other digital platforms as well such as messaging apps and Slack.
The most important way to combat these threats is by raising the level of conversation and awareness throughout the company. Businesses should hold regular reviews of their security programs, which encourage input and questions from all stakeholders. Specific issues like BEC should be top of mind, not only for the IT department but for all other departments within the company as any one of them could be targeted.
About the author: Chris Pierson, CEO and Founder of BlackCloak, served for over a decade on the Department of Homeland Security’s Privacy Committee and Cybersecurity Subcommittee. He is the former president of the Federal Bureau of Investigation’s Arizona InfraGard and the former Chief Privacy Officer for Royal Bank of Scotland. Dr Pierson is a Distinguished Fellow of the Ponemon Institute.