CEO Fraud

CEO fraud email scams are on the rise.

CEO fraud email scams are on the rise.

CEO fraud, a new kind of corporate email security threat, has risen sharply in recent months. Also known as whale phishing, CEO fraud email scams impersonate individuals with access to financial information or other sensitive data into making wire transfers or divulging bank account numbers, credit card information, passwords and other highly valuable data via email. These CEO fraud scams often target or impersonate CEOs or CFOs, or other C-level executives.

The FBI reports that CEO fraud and whaling attack instances increased by 270% between January and August 2015, and that losses due to these scams exceeded $1.2 billion in just over two years1. As organizations seek ways to prevent CEO fraud, many companies are turning to email security solutions from Mimecast.

1 “FBI Warns of Dramatic Increase in Business E-Mail Scams” - Federal Bureau of Investigation, April 2016

Stop CEO fraud with Mimecast.

Mimecast provides security, archiving and continuity cloud services that protect business email and deliver comprehensive email risk management in a single subscription service.

Mimecast Targeted Threat Protection with Impersonation Protect offers highly effective defenses to combat CEO fraud, improve whaling security. Impersonation Protect scans inbound email for key indicators that suggest the message may be part of a CEO fraud attempt. These include:

  • The display name, or friendly name, which may reveal that an attacker is trying to spoof and internal email address.
  • The sender’s domain name. Attackers will often use a domain name that is very similar to the recipient’s domain name, with small differences that may not be noticed immediately.
  • The registration date of the sending domain name. Newly registered domains are often used in CEO fraud and may indicate that the message is suspicious.
  • Certain words such as “bank transfer” or “wire transfer” in the body of the message that may indicate the message is part of an attack.

Features of Mimecast’s solution for CEO fraud.

Mimecast’s Impersonation Protect helps to prevent CEO fraud by delivering:

  • Real-time protection against social engineering attacks that do not use typical tactics such as malware, malicious URLs and weaponized attachments.
  • Complete control over how suspicious messages are handled. Messages may be bounced, quarantined or tagged as suspicious to alert users to the possibility of a fraud attempt.
  • Comprehensive protection from Mimecast’s threat intelligence infrastructure and Messaging Security teams.

Learn more about preventing CEO fraud with Mimecast and about Mimecast’s malware protectionspam detection tool and solution to transfer large files securely.

CEO Fraud

FAQs: CEO Fraud

What is CEO fraud?

CEO fraud is a type of cybercrime where attackers impersonate a company’s executives in order to trick an employee into sending unauthorized wire transfers or divulging sensitive information. The FBI reports that between 2016 and 2019, CEO fraud (also known as Business Email Compromise, or BEC) resulted in $26 billion in losses for companies worldwide.[i]

How does CEO fraud work?

CEO fraud is a highly targeted form of spear-phishing in which attackers research potential victims and their companies online, learning everything they can from the organization’s website, as well as information from social media sites such as LinkedIn, Facebook and Twitter. Targets are typically mid-level staff members in the financial, accounts payable or human resources department. Attackers craft a highly realistic-looking email that appears to come from the company’s CEO or another high-level executive and uses information learned about the target to make the email seem authentic. The email urges the recipient to take immediate action to transfer money to a specific account, provide sensitive information such as payroll or tax information, or share credentials that can provide attackers with access to corporate systems. Because these CEO fraud attacks emphasize urgency, secrecy and/or confidentiality, employees are often inclined to take action without double or triple checking to make sure the request is legitimate.

How to recognize a CEO fraud attack?

CEO fraud is much harder to recognize than common phishing emails that are sent to hundreds or thousands of recipients. The request may even come from a legitimate email address that has been hacked by attackers. However, there are several hallmarks of CEO fraud that all employees should look out for.

  • Requests to transfer money or share sensitive information. Every request of this kind should be viewed skeptically by employees, who should be instructed to take steps to verify the authenticity of requests before complying.
  • An urgent or threatening tone. CEO fraud attacks are designed to encourage employees to act quickly and without questioning their actions.
  • Requests made by executives who say they are unavailable for a period of time. Attackers will often suggest that the email’s sender is unavailable for communications that could corroborate the request.
  • Language that requests secrecy or confidentiality. This is designed to prevent employees from checking with other colleagues or their immediate superiors about the legitimacy of the request.
  • Unusual account numbers. CEO fraud emails may request transfers to different vendor or bank accounts than those to which money is usually transferred.
  • Mismatches in the sender’s email address or in URLs within the email. Attackers may use email addresses and links that are slight variations of email addresses and websites, designed to slip past the notice of recipients who are in a hurry to comply with the sender’s request.

How to prevent CEO fraud?

Effectively preventing CEO fraud requires multiple layers of protection that may include:

  • Security awareness training that educates employees about the potential signs of CEO fraud and other types of cyberattacks.
  • Company-wide policies and procedures that require multiple layers of authorization or proper documentation (including purchase orders) and/or verbal approval before money can be transferred or sensitive information can be shared.
  • Email security technology that can scan and filter emails in real time in order to block users from opening suspicious attachments or clicking on links which may be malicious.
  • Anti-impersonation software that can identify potential CEO fraud attacks by scanning the header and content of email for the signs of malware-less, social engineering techniques often used in these attacks.
  • DNS authentication services that use DMARC, DKIM and SPF to determine the legitimacy of emails.
  • Anti-malware and anti-spam programs that can stop certain emails at the email gateway.

How to report CEO fraud?

Attempted or successful CEO fraud attacks should be reported immediately to a company’s IT department, to senior leadership (including the person whose identity was impersonated) and to the bank from which any funds were transferred.

Attacks should also be reported to government agencies working to stop cybercrime such as the Cybersecurity and Infrastructure Security Agency (phishing-report@us-cert.gov), the Federal Trade Commission (www.ftc.gov/complaint) and the Anti-Phishing Working Group (www.antiphishing.org/report-phishing).

[i] https://www.ic3.gov/media/2019/190910.aspx