All businesses, large and small, are vulnerable to CEO email fraud. It doesn't matter what product or service you sell or how many firewalls and security products you install. CEO email fraud, a form of Business E-mail Compromise (BEC) also known as "Fake President" fraud, uses investigative techniques to develop psychological tactics that prey on human emotion to perpetrate fraud. The Federal Bureau of Investigation reports that U.S. businesses lost more than $3 billion to CEO email fraud scams over the past three years.
How CEO Email Fraud Works
In a CEO email scam, fraudsters use LinkedIn and other sources to glean information about a company's CEO or other top executive. They gain insight into how to pose as the CEO or executive in order to send a convincing email to an employee ordering an immediate bank transfer. It works because the email uses specific language that persuades an employee, who is often eager to do a good job and please the boss, to initiate the urgent transaction. Scammers often send the fraudulent email when the boss is traveling out of town, making it seem all the more genuine.
These cyber criminals are well-organized and understand the structure and practices of the businesses they attack. They may also impersonate a trusted business partner such as a lawyer, auditor, payroll representative, or outside accountant. They directly contact a manager or employee in accounts payable using language that Deloitte reports incorporates these persuasive techniques:
- Authoritative Order: It is an order to do this
- Secrecy: This project is still secret and its success depends on this transaction
- Responsibility: I count on you for your efficiency and discretion
- Pressure: The success of the project rests on your shoulders
Steps to Prevent CEO Email Fraud
Criminals also find other ways to gain access to the sensitive information needed to add convincing details in the fraudulent emails. Some victims reported to the FBI that they first received “phishing” e-mails requesting details about the business or individual being targeted such as names, travel dates, etc. Others were victims of various Scareware or Ransomware cyber attacks prior to the BEC incident.
Global Risk Insights points out, "CEO email fraud is one of the least sophisticated social engineering schemes. It is low cost, low risk, and can generate high rewards." It is important that your company develops internal IT policies and accounting procedures to help detect and prevent these simple yet devastating scams.
Education and Awareness
Educate employees about the means and methods criminals use to commit CEO email fraud. Simply becoming aware of the fraud is highly effective in detecting it. The scam relies heavily on preying on people's judgment and desire to do a good job. Discussing ahead of time the potential for exposure to CEO email fraud builds an employee's confidence in handling the situation. This will help them make the right decisions if it actually does occur.
Two-Step Verification Process
Implement a policy requiring that significant transactions requested by email must also be confirmed through telephone verification. It is important that employees don't use the phone numbers provided in the suspicious email. Rather, they should use established contact information to reach the person who is allegedly requesting the transfer. Contacting the person directly by cell phone is preferable.
IT Prevention Methods
The FBI recommends several methods IT can help prevent intrusion by cyber criminals. Incorporating these tips into your company's policies makes good business sense and increases communication security.
- Delete Spam: Immediately delete unsolicited email from unknown parties. Do not open spam email, click on links in the email, or open attachments. They often contain malware to gain access to your entire computer system.
- Forward vs. Reply: Do not use the “Reply” option to respond to business emails. Instead, use the “Forward” option and directly type in the correct email address or choose it from your address book.
- Use Two-Factor Authentication: This practice requires two pieces of information (passwords, codes, phrases) to login to an email account. This helps prevent damage caused by a compromised password.
- Create intrusion detection system rules that flag emails with extensions that are similar to the company's email. For example, legitimate email of xyz_company.com would flag fraudulent email from xyz-company.com.
- Register all company domains that are slightly different from the actual company domain.
As always, contacting White Moutain IT is one of the most important steps you can take toward protecting your business. Our professionals stay up to date with the latest developments to always know how to provide the best, full-service IT management support.