CEO Fraud Email Attack. Explained!

CEO Fraud Email Attack

What is CEO Fraud email attack?

CEO fraud occurs when the scammer spoof company email accounts and send out emails impersonating C level executives to employees in finance/account or HR department, for wire transfer to a bank account that thought to belong to trusted partners or to share sensitive information.

FBI calls this emerging financial cyber threat as “Business e-mail compromise (BEC)”. As per the report from Internet Crime Complaint Center, criminals tried steeling 5.3 billion dollars through CEO Fraud email scams and it is rapidly evolving and targeting business of all sizes.

Scammers use variety of tactics to fool a victim using phishing attacks or use of malware. After gaining access to network, criminals spend weeks and months silently studying the target organization’s client, vendor, business development, finance department, executive e-mail pattern and their schedules.

Cybercriminals wait for the right time, often when the executives are travelling or away from office to send email from official account to the billing/finance department requesting wire transfer. The transfer results in CEO fraud. If not stemmed on time, it can severely impact in huge financial loss as to the chance of recovery in this fraud is bleak.

CEO Fraud Attack Methods:

Cybercriminals use different attack vectors to commit the crime. Understanding these methods can help you protecting your organization against the risk.

  • Social Engineering: Social engineering is an art of gaining access to network/system by taking advantage of human behavior such as tricking users to click on malicious link in email from Facebook friends, LinkedIn. Hackers gather the information namely contacts, deals, connections etc. from social sites and use it for fraudulent activities. Never post confidential information on social networking sites.
  • Phishing: Phishing is the method that uses deceptive emails, websites to gather sensitive information such as account numbers, Social Security numbers, passwords etc. Hackers goal is to trick the recipient to believe that the message is legit and act by downloading the attachment or click on link in email which could download and install malware on your system without your knowledge.
  • Spear Phishing: In Phishing attack, hacker sends out email to large number of users simultaneously, however, in Spear Phishing cybercriminals send email to one person after doing a detailed study about victim’s friends, organization, vendors and connections to make email look personalized to increase the chance of pulling the fraud. Often due to personalized email it’s difficult to identify spear-phishing attacks.

Best practices to avoid the Fraud

Protect your organization from CEO fraud by following series of best practices.

Employee education: Training employees plays a big role in minimizing the risk, even though you have high security controls as breaches are unavoidable. Employee training should include:

  • Basics of cybercrime and email security
  • How to detect and deal with phishing emails
  • Public Wi-Fi dangers
  • Plan regular security trainings so that security tips are on top of mind
  • Schedule phishing campaigns frequently to test employees
  • CEO fraud scam and how to respond to requests for money transfer or confidential information.

Implement Security Policy and Procedures: all organizations should have standard security policy and procedures, it should be regularly reviewed, updated and published to all employees. Policy should include:

  • No USB drives allowed in office
  • Password management policy
  • Compulsory Security trainings for all employees
  • BYOD policy
  • Wire transfer policy to restrict transfer to large amounts without further approval process
  • Confidential information policy
  • Portable media and email encryption Policy
  • Don’t open attachments or click on links if it’s from unknown source
  • Prepare and test Incident response plan

Set Security Controls: Organizations should implement strong network security controls and assess it periodically and fulfill any gaps. Security controls should include:

  • Two-factor/multi-factor authentication to all apps
  • Implement email filtering
  • Keep software’s, Patches, antivirus up to date on all network devices
  • Assign access and permission levels to all employees
  • Block sites which are known to spread malwares
  • Perform vulnerability scanning, penetration testing and risk assessment.
  • Intrusion detection and prevention systems

Lastly, if your company is a victim of CEO Fraud, act quickly. Contact your IT and finance department. Call FBI and file complaint with FBI’s Internet Crime Complaint Center (IC3).

 

References:

https://www.ic3.gov/media/2017/170504.aspx