Cybercriminals are no longer going after computer systems or business networks to steal data. Instead they are now using employees to steal information. Business Email Compromise, also known as CEO Fraud is an email-based attack in which hackers pose as top corporate executives to trick employees into providing business data, or making transfer.
CEO fraud is now a $26 billion fraud, according to FBI figures. There was a 100 percent rise in identified global exposure losses between May 2018 and July 2019. There have been reports of the scam in all 50 states and 150 countries. Fraudulent payments have been transmitted to banks from around 140 countries, according to victim complaints lodged with the IC3 and financial sources.
What is a CEO Fraud?
The aim of this attack is to extract money from unsuspecting customers, company employees, or firm executives. Cybercriminals pose as a high-level executive or CEO of a reputable company and uses deception to extract money from unsuspecting victims. There are a variety of ways this can be done. For example, they may send an email that appears to come from a high-level executive with an urgent request to send money. The email will look legitimate enough and the request for urgency ensures that the employee doesn’t have time to think. When using the CEO fraud phishing scam, cybercriminals may also focus their efforts on the person who’s new at the job to increase the likelihood of success.
Cybercriminals can just as effectively pose as your company or one of your executives on social media and extract money from unsuspecting customers and followers.
It’s also surprisingly easy for criminals to duplicate social media accounts and take advantage of the trust people have in your company. Organizations are using a variety of social media channels to communicate and conduct business. This brings about new challenges that require detection and monitoring.
Top 10 measures you must do to prevent CEO Fraud
- Check Email Address:
Not just the name, but the entire email address should be checked. The cybercriminals can easily use the correct name, but spoofing the domain address is more difficult. Check the domain address to see if it is genuine, but keep in mind that even a legitimate domain address could be a CEO fraud email.
- Consider the Sender.
Consider the sender if the domain address is correct. Is this the correct individual who has made the request? Is it common for them to authorise payments? The best con artists understand how a business operates and can figure out who usually authorises payments and who will actually make them.
- Check the language used
Look at the wording of the email. Is the sender's voice in the email? Is it written in a way that they would understand? Hackers can acquire access to all of your correspondence and learn to speak in the same tone as senior executives.
- Inform your employees about the risks.
Everyone regardless of what department or role – must understand what CEO fraud looks like. Using real-world examples to point red flags can help.
- Check the authenticity of e-mails that include payment requests.
Implement a process for validating payment requests. Examples include validating requests in person or over the phone after receiving a financial request via email.
- Identify the gaps in your internal payment processes and tackle them.
Strong internal payment process plays a vital role in risk management. They are your best line of defence against the various threats that could affect your organization, from the internal sources (fraud, misappropriation of assets) to the third-parties with which you work.
- Invest in strong security solutions for your IT systems.
While it’s crucial to have your business’s operations fully locked down, both companies and individuals need to have their IT Solutions secured as well.
- Provide watertight reporting procedures and encourage your staff to apply them correctly.
Employees need to see that their reporting results in positive action: hazards have been removed, protective gear has been updated, and dangerous workplace habits have been corrected.
- Limit the amount of online available information so that fraudsters are less aware of your internal ins and outs.
Keep your information safe by limiting how much you share it. Only provide it when necessary. It may feel normal to provide your first and last name and your address when creating an account somewhere, but if there’s a security breach on the website, the information could fall into the hands of fraudsters.
- Contact the police as soon as a suspicious action occurs.
Sometimes, people are reluctant to call the police about behaviour that feel is suspicious because they believe their call will be a burden or unnecessarily tie up police resources. In fact, reporting suspicious activity immediately can help police prevent or interrupt crime.
In conclusion, if you are in doubt, it is most likely a scam. In addition, nothing prevents you from asking your CEO directly if he has sent you an email. Companies also have a duty to educate employees about the types of threats they can be alert and forward-looking.