CEO fraud is a type of financial theft attack in which criminals impersonate a CEO or other C-level executive to obtain sensitive data or money. The perpetrators often trick a finance or human resources employee into executing unauthorised money transfers or sending confidential tax and payroll information. By posing as the CEO or other senior figures, the attacker guarantees that the malicious email gets employees' attention. Many employees are reluctant to question a request from their CEO, so they usually provide the information.
The U.S. Federal Bureau of Investigation (FBI) categorises CEO fraud as a business email compromise (BEC) scam. BEC uses various techniques, including social engineering, compromising legitimate business email accounts, malicious software to access inboxes, and other computer intrusion tactics.
A growing threat
The number and impact of BEC scams continue to increase. The FBI reported a 65% increase in global losses from BEC between July 2019 and December 2021. According to the same report, data collected from the FBI Internet Crime Complaint Center, law enforcement, and financial institutions revealed that the scams cost victims more than USD $43 billion in 2021 and involved fraudulent transfers to banks from over 140 countries.
Breach reporting is not always mandatory, meaning the actual numbers could be much higher. Many victims are also embarrassed to report these cybercrimes as they may feel foolish and want to avoid reputational damage. The criminals rely on this shame to mask the staggering losses resulting from BEC.
Identifying and compromising CEOs
The perpetrators use platforms like LinkedIn and company websites to identify CEOs and senior executives and obtain their contact details. They then use email or messaging platforms such as WhatsApp to contact the targets and attempt to hijack their accounts. With a stolen email or messaging account, the attacker has access to the executive's contacts and can use the same scam with CEOs and senior executives at other companies.
Spoofing sender details
There are two common tactics for manipulating sender information in CEO fraud emails:
- In name spoofing, the attacker uses the name of the CEO but a different email address. Sometimes, the fake address is very similar to the company's domain. The attacker hopes the recipient will focus on the sender's name and not notice the incorrect address. Many email clients, especially mobile ones, do not display the sender address by default.
- In name and email spoofing, the attacker uses the CEO's name and correct sender address. However, the reply-to address is typically different from the sender address, so the recipient's response is sent directly to the attacker.
Mitigating CEO fraud
There are several best practices to address cybersecurity gaps that could exist in an organisation. All employees, especially senior executives, should be reminded about the risks associated with oversharing information on social media.
Employees who handle finances or sensitive data should have extra mechanisms in place to secure the data, including two-factor authentication to verify requests for money transfers. Employees should be required to change passwords regularly, and the IT department should implement strong password policies to ensure good password hygiene.
Threats like CEO fraud and BEC are so sophisticated that security solutions need to have advanced capabilities. Companies must ensure that every employee maintains good endpoint defences on corporate and personal mobile devices used to access corporate resources.
Decision makers must understand the risks of CEO fraud and BEC and prioritise strategies to mitigate mistakes and oversights that can expose organisations to these scams. Unfortunately, most organisations do not sufficiently test their users' security awareness. Others lack strong internal control processes to identify and mitigate CEO fraud and BEC attacks. Addressing these gaps strengthens the organisation's defences.