What Makes Your CEO An Easy Target For Cybercriminals?
The CEO is a key target for cybercriminals today. Just by opening the wrong email they can put the entire organization at risk and lose millions. Do you know how CEO Fraud is executed, and how you can lower your risks?
For a few years now, CEO Fraud has been one of the most lucrative efforts a cybercriminal could undertake. In 2017, a Canadian University was defrauded to the tune of $11.8 M alone.
Can you afford that kind of damage? Probably not.
That’s why you need to understand what it is, how it works, and how to protect against it. In this blog, we’ll answer the following questions:
- What Is CEO Fraud?
- How Is CEO Fraud Carried Out?
- Spear Phishing
- Executive Whaling
- Social Engineering
- Are CEOs The Only Targets For Fraud?
- Finance Department
- Human Resources
- C-Level Executives
- IT Management
- What Can You Do About CEO Fraud?
What Is CEO Fraud?
CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool employees into executing unauthorized wire transfers or sending them confidential tax information. It takes aim at personally identifiable information, rather than merely tricking accounting staff into scheduling fraudulent wire transfers.
CEO Fraud is a form of Business Email Compromise (BEC) where a cybercriminal impersonates a high-level executive (often the CEO). Once they convince the recipient of the email (employee, customer or vendor) that they are legitimate, they then attempt to get them to transfer funds or confidential information. BEC attacks are also called whaling or man-in-the-email. They are a way of tricking employees into turning large amounts of money over to cyber attackers.
How Is CEO Fraud Carried Out?
- Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
- Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
- Executive Whaling:The bad guys target top executives and administrators, typically to siphon off money from accounts or steal confidential data.
- Social Engineering: LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
Are CEOs The Only Targets For Fraud?
Despite the name, it isn’t just the CEO that should be worried about this kind of scam. There are four other groups of employees who are considered valuable targets given their roles and access to funds and confidential information.
- Finance Department: The finance department is especially vulnerable in companies that regularly engage in large wire transfers.
- Human Resources: HR represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organization, manages the employee database and is in charge of recruitment.
- C-Level Executives: Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority.
- IT Management: The IT manager and IT personnel with authority over access controls, password management, and email accounts are also high-value targets.
What Can You Do About CEO Fraud?
1. Identify Your High-Risk Users
These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas.
- Review social/public profiles for job duties/descriptions, hierarchal information, out of office detail, or any other sensitive corporate data.
- Identify any publicly available email addresses and lists of connections.
2. Implement Security Solutions
- Email filtering
- Two-factor authentication
- Automated password and user ID policy enforcement
- Comprehensive access and password management
- Whitelist or blacklist external traffic
- Patch/update all IT and security systems
- Manage access and permission levels for all employees.
- Review existing technical controls and take action to plug any gaps.
3. Set A Security Policy
Every organization should set a security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:
- Not opening attachments or clicking on links from an unknown source.
- Not using USB drives on office computers.
- A Password Management Policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.).
- Required security training for all employees.
- A review of policies on Wi-Fi access. Include contractors and partners as part of this if they need wireless access when onsite.
4. Develop Standard Procedures
IT should have measures in place to:
- Block sites that are known to spread ransomware.
- Keep software patches and virus signature files up-to-date.
- Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines.
- Conduct regular penetration tests on Wi-Fi and other networks to see just how easy it is to gain entry.
- Utilize Domain Spoof Protection
- Create intrusion detection system rules that flag emails with extensions that are similar to company emails.
5. Cyber-Risk Planning
- Develop a comprehensive cyber-incident response plan and test it regularly. Augment the plan based on results.
- Executive leadership must be well informed about the current level of risk and its potential business impact.
- Management must know the volume of cyber incidents detected each week and of what type.
- Understand what information you need to protect. Identify the corporate “crown jewels,” how to protect them and who has access.
- A policy should be established as to thresholds and types of incidents that require reporting to management.
- Cyber-risk MUST be added to existing risk management and governance processes.
- Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
- Consider obtaining comprehensive cybersecurity insurance that covers various types of data breaches.
6. Training For All Users
No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger, so start here:
- Train users on the basics of cyber and email security.
- Train users on how to identify and deal with phishing attacks with New-School Security Awareness Training.
- Implement a reporting system for suspected phishing emails.
- Continue security training regularly to keep it top of mind.
- Frequently phish your users to keep awareness in mind.
7. Continuous Simulated Phishing
- Run an initial phishing simulation campaign to establish a baseline percentage of which users are Phish-prone.
- Continue simulated phishing attacks at least once a month (twice is better).
- Once users understand that they will be tested on a regular basis and that there are repercussions for repeated failures, behavior changes; they develop a less trusting attitude and get much better at spotting a scam email.
- Randomize email content and the times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others.
8. Stay Aware of Red Flags
Security Awareness Training should include teaching people to look for red flags. Here are the most common things to watch out for:
- Awkward wording and misspellings
- Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
- Spoofed email addresses and URLs that are very close to actual corporate addresses, but are only slightly different
- Sudden urgency or time-sensitive issues
- Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information,” which are often used according to the FBI.
Like this article? Check out the following blogs to learn more: