We’ve discussed social engineering elsewhere on the blog and we’ve established that it refers to any type of attack relying on the human factor in order to achieve its goals. But a particular type of social engineering requires a bit more attention that the rest, especially since it’s becoming more and more frequent. CEO fraud, or a scam where the hackers pretend to be the CEO of the organization in order to convince employees to do things, is a particularly pernicious tactic.
Here is everything you need to know about how it’s done, how dangerous it is, where it stands from a legal point of view and how to train yourself to recognize it better. Since it’s a social engineering hack, cybersecurity tools have limited effectiveness in protecting people from it. The only chance you have to not allow your organization to fall prey to CEO fraud is to continuously learn about it and to teach your employees about the warning signs as well.
What exactly is CEO fraud?
From a legal point of view, CEO fraud is a form of criminal impersonation. Impersonation per se is not illegal in most countries, as long as it is inconsequential – for art or satire purposes, for example. It becomes criminal impersonation only when the target has something to lose because of it. Either the impersonator is trying to garner some financial or information gains based on the deceit, or they are trying to pin some different crime on the victim.
Obviously, CEO fraud is a type of criminal impersonation, but it is done solely online. Unfortunately, though it’s definitely illegal anywhere in the world, it’s a type of crime notoriously difficult to investigate. The crime is clear enough, but finding the guilty parties is next to impossible, since it’s a hit and run scenario with multiple layers of concealed identity. That is one of the main reasons for which hackers are so attracted to it and employ it so often (more on this below).
In 2018, the U.S.’ Federal Investigation Bureau (FBI) issued a warning that business email compromise is one of the leading types of attacks. The losses incurred on companies through business email compromise amounted to over 12.5 billion dollars worldwide, according to the Bureau.
While it’s true that CEO fraud is just one type of business email compromise attack, it’s by far the most popular. From a social point of view, it makes perfect sense: most people would rush to help their boss with a request, without stopping to check whether the request is legitimate.
Common Types of CEO Fraud
So, here is how CEO fraud works and the main forms of this scam which you may encounter sooner or later in your email inbox.
From a technical point of view, regarding the email address used, we have two types of attacks, spoofed and non-spoofed.
#1. Spoofed emails from executives
This type of CEO fraud is more technically advanced, since it requires the spoofing of the email so that it appears that the sender is the authentic email address of the CEO. Unless the organizations has very good spam filters and DNS filters, such emails are bound to make their way into the inboxes of employees.
To make sure your organization doesn’t become a victim of CEO fraud, technical defenses are therefore not enough. You need to also educate your team members about the dangers of CEO fraud and teach them how to recognize it. That way, even some fraudulent email does pass through, your people will be ready to see it for what it really is. Of course, this blog post is the perfect place to start, so we encourage you to pass it along.
#2. Non-spoofed emails claiming to be from executives
In other cases, the hackers are so negligent or not very knowledgeable, that they don’t even bother to conceal the falsity better through spoofing. They simply send the message from an email address which looks close to a legitimate one, expect for one letter or two. They’re relying on the fact that people don’t read email addresses carefully and just focus on responding, and you know what? They’re right. That’s precisely why CEO fraud works and why it’s scary.
Besides spoofing and non-spoofing, hackers do have more technical methods at their disposal for making their CEO fraud campaign more aggressive. When they combine the basic concept of this type of attack with spear phishing or whaling, the attack becomes even more dangerous.
If the targets are executives themselves, the hackers do research to seem as plausible as possible, since the stakes are higher. The payoff could include an immediate siphoning of funds, because executives are authorized to make large money transfers.
From a content point of view, we have several more types of CEO fraud emails.
#3. Asking for a private matter to be handled in secrecy
In the email, the CEO is confiding in your that the company has a problem – usually of a legal nature – but you shouldn’t discuss it with anyone else. They are asking you to assist them with handling the issue discreetly.
As a next step, they are urging you to get in contact with someone from outside the organization, often a so-called lawyer. If you do, the next step is extortion. By the time the employee realizes that something is wrong and brings it up with work colleagues, the damage is done.
Sometimes, the hackers are using the company names and attorney names of real law firms who are in no way associated with them. This is done to lend some credibility to their claims, in case the employee does a quick search to check who the people mentioned in the email are. Once they see it’s a reputable law firm, there’s a greater chance that the employee will comply with all requests.
#4. Asking for an immediate money transfer
Other times, the hacker impersonating the CEO gets straight to the point and asks for a money transfer. What is out of the ordinary is the urgency of it, even if the amount seems to be more or less business as usual.
Don’t forget that in many cases, hackers do their homework well and look into the person who is usually handling this type of transactions. Once that person receives the fake request, it won’t seem an unusual task. Furthermore, they are authorized on financial accounts so it would be no problem for them to grant the hacker’s wish immediately.
#5. Asking for the credentials to a connected account
In other cases, in order to seem less suspicious, the fake executive is asking just for access to an account. It can be something not that important or tied to financials, maybe something like a cloud service for storing stock photos and so on.
In any case, once a hacker gains this kind of a foothold into a network, they can then use to access more sensitive data in order to move towards stealing funds or causing significant harm. That’s why even the most inconsequential request can carry enough risk to make you question it.
Why CEO Fraud is Easy and Cheap for Hackers
As the threatscape became more and more sophisticated, so did the security solutions employed by organizations to defend themselves. In short time, even small organizations were defended by multi-layered security solutions, beyond the legacy anti-virus from the old days.
Under these circumstances, it can be hard for beginner or unaffiliated hackers to access the tools and infrastructure required in order to break through. Hacking tools are often expensive, and the technical sophistication required for a successful hack is considerable. Great security sets the bar higher and higher for hacking efforts.
Of course, that doesn’t mean that hacking is becoming more and more difficult to achieve and organizations are safer on the whole as time passes. Unfortunately, the contrary is true: cybercrime is becoming a more pervasive threat especially to business organizations. It’s also more and more rewarding for hackers: in 2019, ransomware will cost businesses an estimated 11.5 billion dollars, not even accounting for the other types of cyberthreats out there.
But cybercrime is also becoming expensive to carry out due to all this tech sophistication, which leaves beginner hackers or small groups of hackers in need to find other ways. The perfect way to steal data or money without employing complicated tech methods is through social engineering. Thus, CEO fraud can be a quick way to make money by appealing to the social nature of people.
Even if all they manage to obtain is access to an inconsequential account (one which isn’t connected to sensitive or financial info), it doesn’t matter. The stolen credentials can then be used for credential stuffing attacks, which are also cheap to orchestrate, compared to the more advanced hacking.
With such a low entry bar for attempts, CEO fraud is poised to become one of the most frequent types of cyberattacks on organizations. Just as the FBI warned.
Warning Signs for CEO Fraud
There’s no failproof recipe, which is why erring on the side of caution is best. If your organization has undergone a bit of training on the dangers of CEO fraud, then suspicion should be adopted without worry.
Since everyone needs to be on their guard, if that email is truly from the CEO, he or she won’t mind if the employee asks some follow up questions, just to make sure. Vigilance and, of course, a reliable DNS filtering system and fraud guard cybersecurity measures are in store.
Still, here are a few common signs that something is amiss. Don’t rely solely on these signs to identify CEO fraud, but definitely keep an eye out for these tell-tell clues.
a) The email comes in towards the end of the working day
To maximize their chances of success, hackers tend to send out these CEO fraud messages towards the end of the working day, or just before major holidays and so on. Why? Because there’s a greater chance that the person targeted is alone at the office, hurrying to take care of all urgent business before signing out.
Since there are less people around than usual and people are in a ‘wrapping it up’ mental mode, there is a decreased chance for the victim to seek a second opinion. Most probably, they will just feel compelled to comply with the request and get it over with.
b) The email tries to instill a sense of urgency
Another characteristic which is always present in CEO fraud emails is the sense of urgency. The hackers want the target to comply as fast as possible with the request, before they have a chance to think it through. The truth is that sometimes the requests are so obviously fishy, that judging from afar, it’s difficult to understand how someone could fall for it.
But that’s exactly the thing with social engineering hacks: they rely on the power of human emotion to cloud judgement, especially if the danger is not one that we are prepared for. People just want to get a task done for their CEO and this need to comply is stronger than the need to take a step back and think the situation through. That’s exactly why social engineering and CEO fraud are successful.
c) The email asks for something out of the ordinary
Still, some CEO fraud emails can be so carefully planned that they don’t strike anyone as an odd request. If the hackers targeting your organization are truly professional, they will know exactly who to talk to and how to formulate their demand. Don’t follow the advice above to the letter and be on your guard. Extra vigilance never hurts in today’s digital environment and a lack of vigilance can be very costly.
French businesses in particular have taken hits amounting to tens of millions of dollars. As the FBI warning quoted above shows, US businesses were also targeted by CEO fraud often.
No one is safe, no matter how confident you are in your organization’s cyber defenses. Take a few hours to train your employees on the dangers of CEO fraud, it may be one of your best business decisions of the year!