- CEO Fraud is a form of spear phishing where hackers impersonate executives to trigger unauthorized transfers of money or sensitive data
- Hackers motivated by financial gain impersonate CEOs to create a sense of artificial urgency and power
- Having clear policies and procedures surrounding transfers of data or money can help reduce the risks of CEO fraud
As companies bolster their security infrastructure and increase budgets to deflect growing cyber-attacks, hackers are attacking the weakest link: human error. Social engineering cyber-attacks are growing in popularity as tricking employees has become the easiest way to access an organization’s sensitive data and money. A common social engineering tactic used by hackers is to impersonate CEOs to infiltrate systems and pull off costly data breaches.
What is CEO Fraud?
Known as CEO fraud, or whale phishing, hackers impersonate CEOs, COOs, or CFOs to invoke a sense of urgency and scam employees sensitive to the power and status of an upper-level executive contacting them directly. Most often this attack comes over email and can often be more sophisticated than expected.
A CEO fraud attack that uses spear-phishing methods, for example, will target particular employees who are more likely to receive communication from the CEO. They’ll often use a sense of urgency to get an employee to act quickly without verifying the requests sent. They may use compromised email accounts, mention well-known organizational events, or even emulate the CEO’s patterns of speech to feign authority.
It’s important to understand that CEO fraudsters have a host of tools available to them to help them understand the CEO they are impersonating. By stalking social media sites, like LinkedIn, they may have access to information employees assume only an insider would know. Even a quick review of a CEO’s page can tell a hacker about the CEO’s travel plans, large company events, and the CEO’s general manner of speaking.
Employees should be careful of any interaction where an executive emails them and asks them to handle a financial transaction. Almost every CEO fraud attack is a request to send money to a certain account. They will disguise it as paying a supplier invoice, paying a bill for a trip, or any other opportunity that would excuse an unscheduled unauthorized wire transfer. Any interaction with an executive asking directly for funds should cause an employee to pause and find a way to authenticate the request.
Additionally, CEO fraud attacks can target a company’s sensitive data. CEO fraud can be responsible for ransomware attacks that hold important data or systems hostage until an extravagant fee is paid. While this still serves the hacker’s core motivation, to gain money, it may be easier to trick employees to open and install ransomware.
Be mindful of all documents and links attached to emails, especially if the request is out of the blue. No one wants to upset upper management, but it never hurts to ask for authentication before opening strange files. Preventing fraud takes consistent effort from individuals at every level of the company.
How CEO Fraud Works
CEO fraud usually starts with business email compromise. By compromising a company’s email, a hacker can send emails that appear to be internal and gain credibility for their requests.
A direct hack of the CEO’s email is the most difficult email attack to recognize. If the hacker has access to the CEO’s email, the recipient of the fraudulent request will need to use clues inside the email to identify the CEO fraud attempt. It’s important to understand that hackers may be able to compromise the integrity of company emails, and a request should not be automatically trusted even if it’s from a recognized email address.
A more common tactic is to spoof an email, sending an email from a forged email address. If you’re suspicious about an email, check that the sender's name matches the address or that the contact information matches the email you can find online or in a company directory.
The easiest way for a hacker to impersonate an executive is to create an email address that looks almost like the CEO’s email address, with just a few characters out of place. ‘firstname.lastname@example.org may be impersonated using email addresses like email@example.com, firstname.lastname@example.org, or email@example.com. As a rule, always double-check the email address of any individual asking for money or sending unexpected documents.
CEO Fraud Email Examples
Here are a few examples of what CEO fraud could look like at varying levels of difficulty.
Scenario One – Finance Email Impersonation
A strange email labeled “URGENT: Supplier Account Change” is sent to an accountant from the company’s Chief Revenue Officer Dave. The email has instructions for a normal supplier wire transfer to be changed to a new account. The email claims to be time-sensitive, and “Dave” is known to be a rather short-tempered boss.
An anxious accountant, dealing with their boss’s boss may forward the money instantly, without realizing the email comes from firstname.lastname@example.org instead of email@example.com. While this kind of mistake may seem obvious, it still does happen. Especially in companies where questions aren’t tolerated and tempers are short, even obvious scams can capitalize on the status of high-level executives.
Scenario Two – HR Spoofing
An email, that appears to be from the company’s president, is sent to a new HR representative asking for all of the company’s W-2 forms. The email appears to be from the company’s president, who explains that there is an urgent legal issue, and the forms are needed ASAP. The new HR representative has no idea what the company policy is about sending W-2s internally, nor have they ever interacted with the company’s president.
It’s possible that the HR rep will be able to identify an incongruence between the email and the sender's name. However, a cautious representative will always check with another HR rep about internal policies and ask if this is a normal request. If still in doubt, they may also send an email to the president using the internal directory (not directly replying) to confirm the request before sending the information.
If they don’t double-check, highly sensitive information about the entire company will end up in the hands of hackers. Hackers will often target new employees like this because they aren’t as up-to-date on company norms. Social media sites, like LinkedIn, clue spear-phishing fraudsters into which employees are brand new. Sensitive information like this can be targeted for ransom, sold, or used for other nefarious purposes.
Scenario 3 – IT Executive Impersonation
A diligent hacker has obtained access to the CEO’s email account. After careful monitoring of LinkedIn, and other active social media sites, they have identified the CEO’s tone of writing and know he is at a large industry conference and will be out of the office.
The hacker decides to target a direct attack on the IT manager since they have access to passwords, access controls, and email accounts for the rest of the organization. If the hacker can compromise their account, they can infiltrate the rest of the organization easily.
The IT manager receives an email from the CEO asking him to open a document with information about a new security solution being discussed at the large industry conference he’s at. There’s a chance the IT manager will notice something off about the tone of writing or has knowledge of conversations where the CEO has shot down similar ideas. There’s even a chance the IT manager will have anti-malware that will alert him to the contents of the document.
But even a seasoned manager would have a hard time identifying this carefully laid trap. Without proper precautions, one email could be all it takes for a hacker to gain access to the IT manager’s computer, and subsequently the rest of the organization’s security systems.
How to Prevent CEO Fraud
In all of the above examples, a rigorous set of company policies regarding email communication could have saved the company's finances or data. Here are a few policies and procedures to consider integrating into your security system to thwart social engineering hackers:
- Require multiple layers of authorization for the transfer of sensitive data or transfer of money
- Require verbal approval for unusual transfers, including verbal passphrases that are shared outside of email. Even if a CEO’s email is hacked, this passphrase will be able to identify authorized requests
- Use security technology and fraud prevention platforms, like anti impersonation software, DNS authentication, and Anti-Malware programs to filter out most attacks
- Clearly communicate all policies and procedures to new employees
- Conduct security awareness training for all employees
The threat of CEO fraud can be mitigated with careful policies and procedures. It is important to bring awareness to this kind of scam within your organization, especially if you handle large amounts of sensitive data. As with all security measures, taking proactive action against this threat is what can secure your organization from CEO fraud.