CEO Fraud, also known as Business Email Compromise (BEC), is a sophisticated scam targeting businesses of all sizes leveraging social engineering. The ultimate objective is to get unauthorized transfers of funds to the fraud actors’ bank accounts. It’s all about hard cash and top executives being the targets of such scams.
There are 3 main attack methods:
- Phishing
- Spear Phishing
- Executive “Whaling”
Spear phishing, and executive whaling in particular, are used to get to the big trophy. Malicious actors will spend a significant amount of time and resources gathering information to pick the right target(s) and to spy. Spying is essentially gathering a large amount of relevant information about a person (or several persons) of interest from multiple sources (corporate homepage, social media profiles, search engines, phone calls to extract further information, possibly going onsite to take photos, etc.).
The objective is to better understand the target’s work situation, co-workers, destinations for business trips, family members, hobbies, and more to discover vulnerabilities and to make the attack (the “hit”) credible and successful.
Thorough preparation is crucial, because usually a CEO fraud-type attack has only one chance of success. The hit must be successful the very first time. And fraud actors have to be prepared for unforeseen situations.
Who are the high-risk target personas?
- Finance managers
- CEO / top executives
Those corporate staff & executives have authority and access to funds. There are others of course, in particular HR Managers, who have access to valuable information about employees (social security numbers, addresses, phones numbers, salary details, emergency contacts, possibly healthcare and tax information, etc.).
A successful single BEC campaign can be very lucrative and yield USD150,000 on average, per various Industry analysts. See recent data from the FBI: https://www.ic3.gov/media/2018/180712.aspx.
A simple email with a “spoofed” email address from a member of the legal team and a subject line with the threat of a lawsuit is very likely to make even a CEO click any link.
Bad actors craft “spoofed” emails to look like a valid email from a familiar organization. A spoofed email will have altered properties, which disguise who the real sender is (e.g., FROM name/address, REPLY-TO name/address, etc).
In IT security in general, and in this type of fraud in particular, the 3 foundational pillars to address cyber threats including CEO fraud are:
- People
- Processes
- Tools & Technology
It is critical for businesses to invest in and roll out IT security awareness training to turn staff into “human firewalls” – all of us, whether we work for small businesses, larger enterprises or governments must be able to spot a phishing email a mile away and be aware of basic IT security concepts & hygiene. We are the first (and critical) line of defense.
Here is a good resource about what phishing and email scams can look like. I encourage you to take a look and to share and like on social media, and spread the word. We can all play a role in building awareness and educating our co-workers, family members and friends.
https://www.lifewire.com/what-phishing-and-email-scams-look-like-4064080
When it comes to processes, backing up data and regularly patching out-of-date software are very important good practices discussed at length here at Secplicity.
Technology-wise, WatchGuard offers a range of capabilities because we protect airspace, identities and networks. An important service is certainly DNSWatch, our anti-phishing service, used in combination with other services in our Total Security Suite. Plenty of useful information and client testimonials are available at watchguard.com