According to the FBI, there has been a significant increase in the number of business email phishing scams, most commonly known as CEO fraud. As per the 2019 edition of the FBI’s Internet Crime Report, there were almost 24,000 complaints in 2019 and each successful attack cost roughly $75,000.This signifies only one thing, even if an organization possesses robust IT infrastructure, the attackers can and will always find a way in. As they are well aware that employees are the weakest link in any IT system, and we can’t deny this fact because almost 90% of all cyber incidents are caused by human error or behavior according to a report by Cyber Security Intelligence.
What Really is CEO Fraud?
The main objective of the perpetrator in a CEO fraud is to spoof a message (unlike any normal phishing attack) from a legitimate business e-mail account through attacks like social engineering or any system intrusion techniques to successfully authorize any official transfer of funds. These emails usually have a spoofed sender address so that it appears to come from the CEO or any top-level executive of the target organization.
The victims are not only the organization that deals with wire transfers, money management or have an unsophisticated business but also belong to small and large enterprises. Irrespective of the field, the targeted companies can be from manufacturing, banking, consultancy, trading, healthcare or any other vertical for that matter.
How do Attackers Perform a CEO Fraud Attack?
Phishing and social engineering are considered to be the most frequent attack vectors in all the past cases. Organizations need to incorporate a more agile security management approach in order to prevent the growing risk of data theft. Most of the attackers who spoof company e-mails, use social engineering to impersonate the identity of a CEO, a company attorney, or any trusted vendor. They mainly do reconnaissance of the employee or the department that is directly related to any kind of money management to get an insight of the work cycle. Their main agenda is to collect as much data as possible, via social media accounts or any kind of out of office responses.
As per a report by CSO Online, phishing attacks account for over 80% of all reported security incidents and nearly $17,700 is lost every minute becuse of phishing attacks.
How These Attacks Affect an Organization?
Major impacts an organization can suffer due to these attacks include:
- Loss of money in most cases
- CXOs including the CEO, CFO are fired immediately
- Lawsuits are filed against the company
- Loss of trust, reputation, and business
Some Infamous Instances of CEO Frauds
Let’s have a look into some of the disastrous cases of CEO fraud attacks that have led to the greatest reported losses in recent years.
The popular toymaker behind Barbie & Hot Wheels was compromised by a phishing attack that cost the company around $3 million. The attack was initiated by sending a spoof note from the company’s newly joined CEO to the finance executive, requesting a new vendor payment to China. After approving the note by both the executive and the CEO, the money was transferred. But Mattel was fortunate enough to prevent total loss, as the day following the day of the attack happened to be a bank holiday in China. This helped them to freeze the account that held the stolen funds and the money was recovered.
A phishing scam cost the bank a staggering $75 million. It is considered one of the largest instances of this kind of fraud. The attack was performed by outsiders and was discovered during an internal audit.
The Austrian aerospace parts maker FACC was hit by a cyber phishing scam that cost the company a whopping $42 million! The attackers stole the money by impersonating the CEO of the company. As per the supervisory board, the CEO had severely violated his duties and was immediately fired. The spoofed email was sent to an employee requesting to transfer money to an account for a fake acquisition project.
Xoom, an international money transfer company acquired by PayPal, reported that it had suffered a loss of $30.8 million in the 4th quarter of 2015, resulting in a 17 percent decrease in its shares in extended trading. The attacker impersonated an employee to send fraudulent requests targeting its finance department.
How to Shield Your Organization Against CEO Fraud?
Here are some of the most effective and pro-active measures an organization should implement in order to defend itself against CEO fraud:
1. Employee education
The employees of an organization should be well aware of how the spoofed CEO e-mails look like and how to identify it in their inbox. They should also be aware of the common tricks or loopholes attackers use to provoke victims into transferring funds or clicking on links leading to the transfer of such large sums.
2. Restrict unauthorized access
The best way to avoid a major loss to a company is to restrict access to certain data and tasks within the business. The company should restrict access to wire transfers to only a few required employees of a department, gradually reducing the chances of any kind of unauthorized transfer.
3. Institute technical controls
Instituting technical controls can also help prevent the damage done by a phishing e-mail. There should be proper authentication measures implemented across the organization. Having a simple username and password always has a good success rate of getting leaked, so there must be robust technical controls employed across an enterprise. Some of the best practices are:
- Two-factor authentication
- Automated password and user ID policy enforcement
- Patching/updating of all IT and security systems
- Manage access and permission levels
- Adopt whitelists or blacklists for extreme traffic
4. Regulate Policies
Having policies and procedures in place, the employees will be well aware of what to do in a situation where they receive an e-mail which they are unsure about or believe to be fake. By having policies regulated, employees will exactly know who to and when to report if the person receives a fraudulent e-mail. Also, there should be legitimacy on who is handling the fund transfers and what verification processes must be completed before giving a green signal for any confirmation.
5. Employee pedagogy with simulated phishing
The employee education can be well accompanied by a simulated phishing attack. Deploying such an attack initially will help us detect the employee vulnerability score, a score to analyze what percentage of users are phish-prone and what percentage of users are manipulated by a spoof e-mail. So, it is highly recommended that an organization should impart knowledge and perform simulated phishing on a regular basis, in order to analyze how the users are behaving towards such fraud e-mails after repeated simulation.
In this case, Kratikal’s employee risk assessment tool ThreatCop is specifically designed for this purpose. This SaaS-based tool brings down the overall risk level of an organization up to 90%, building a security culture in the organization and improving cyber resilience with a measurable result.
6. Use certified email servers
Using a strong email server can also be a major step towards preventing fraudulent e-mails. Some of the best email servers like Gmail, Zoho, Outlook, etc. have their own defense mechanism. Their algorithms work in such a way that, they restrict the possibility of receiving a fraudulent e-mail in the user’s primary inbox and divert it towards the spam folder. This helps employees detect the legitimacy of an e-mail, resulting in less open rates of such spoof e-mails.
Conclusion
Therefore, in all the possible cases discussed above, educating employees to play an essential role in creating a human firewall around your organization. Once the people are fully aware of the trends of cyber-risks that are growing on a day-to-day basis, only then they will be able to combat such cyberattacks and withstand even the most sophisticated attempts at CEO fraud.
