CEO fraud is a type of phishing email attack which involves the impersonation of a company’s CEO or a high-ranking employee to attempt to trick another member of staff into transferring money, for supposedly valid business reasons.
As stated in the 2017 Annual Fraud Indicator, CEO fraud is an increasingly prominent type of procurement fraud, and procurement fraud costs UK businesses over £100bn every year. This may sound like an unlikely scenario – that you would be able to tell your boss from a stranger and would question the demand for a large amount of money – but CEO fraud attackers spend time collecting and researching public information to gain insights into what type of purchases are being made at what amount, making their messages much more believable.
Carole Gratzmuller – boss of a medium-sized French company – fell victim to this type of impersonation whilst away from her office.
“My accountant was called on Friday morning. Someone said: ‘You’re going to get an email from the president, and she’s going to give you instructions to conduct a very confidential transaction and you’re going to have to respond to whatever instructions she gives you’.”
The accountant also received emails from an address with Carole’s name, continuing to give her instructions as to where to transfer the money. Within an hour the account had received 10 emails and 4 phone calls, all of which were very convincing, and she had authorised transfers totalling €500,000. Phishing attacks like these can often lead to the employees involved losing their jobs, possible lawsuits being filed, and the money lost is only recovered 4% of the time.
Identifying CEO Fraud
Dr Markus Jakobsson – chief scientist at the cyber security firm Agari – outlined three key signs to look out for when checking your mailbox.
- Consider the sender
Check whether the email is from somebody in power, what exactly it’s asking for, and whether it’s addressed to just you or the whole company – scammers like to single people out. If the email asks for a wire transfer or employee data, consider whether this seems like a usual request for your CEO.
- Look at the email address
About 94% of CEO scams involve deceptive display names, however if you check the email address rather than just the name in front of it, it becomes quite easy to spot a scam. The email address might use your CEOs name, but use a different domain – for example, firstname.lastname@example.org might become email@example.com – or it might slightly alter the name like firstname.lastname@example.org.
- Always Ask
Never feel embarrassed about double-checking when it comes to emails involving finances or sensitive data – try to contact the CEO who is apparently sending the emails if you can, by their usual email/phone or by physically finding them in the office. If contacting your CEO isn’t possible, check with an admin or any other high-ranking person.
There are many defences you can implement to protect your company from phishing attacks such as advanced threat protection, firewalls, and email security, but these services can only do so much. The bets method to preventing these cyber threats is establishing a Human Firewall – this means taking a proactive approach to protecting your finances and data by educating employees on different cyber-threats and how to identify them, as well as regular testing to ensure your staff can spot a phishing email from a mile away.