What is CEO fraud?
CEO fraud is a type of cybercrime where attackers impersonate a company’s executives in order to trick an employee into sending unauthorized wire transfers or divulging sensitive information. The FBI reports that between 2016 and 2019, CEO fraud (also known as Business Email compromise, or BEC) resulted in $26 billion in losses for companies worldwide.[i]
How does CEO fraud phishing work?
CEO fraud is a highly targeted form of spear-phishing in which attackers research potential victims and their companies online, learning everything they can from the organization’s website, as well as information from social media sites such as LinkedIn, Facebook and Twitter. Targets are typically mid-level staff members in the financial, accounts payable or human resources department. Attackers craft a highly realistic-looking email that appears to come from the company’s CEO or another high-level executive and uses information learned about the target to make the email seem authentic. The email urges the recipient to take immediate action to transfer money to a specific account, provide sensitive information such as payroll or tax information, or share credentials that can provide attackers with access to corporate systems. Because these CEO fraud attacks emphasize urgency, secrecy and/or confidentiality, employees are often inclined to take action without double or triple checking to make sure the request is legitimate.
CEO fraud phishing email scams are on the rise
CEO fraud, a new kind of corporate email security threat, has risen sharply in recent months. Also known as whale phishing, CEO fraud email scams impersonate individuals with access to financial information or other sensitive data into making wire transfers or divulging bank account numbers, credit card information, passwords and other highly valuable data via email. These CEO fraud scams often target or impersonate CEOs or CFOs, or other C-level executives.
The FBI reports that CEO fraud and whaling attack instances increased by 270% between January and August 2015, and that losses due to these scams exceeded $1.2 billion in just over two years1. As organizations seek ways to prevent CEO fraud, many companies are turning to email security solutions from Mimecast.
How to recognize a CEO fraud attack?
CEO fraud is much harder to recognize than common phishing emails that are sent to hundreds or thousands of recipients. The request may even come from a legitimate email address that has been hacked by attackers. However, there are several hallmarks of CEO fraud that all employees should look out for.
- Requests to transfer money or share sensitive information. Every request of this kind should be viewed skeptically by employees, who should be instructed to take steps to verify the authenticity of requests before complying.
- An urgent or threatening tone. CEO fraud attacks are designed to encourage employees to act quickly and without questioning their actions.
- Requests made by executives who say they are unavailable for a period of time. Attackers will often suggest that the email’s sender is unavailable for communications that could corroborate the request.
- Language that requests secrecy or confidentiality. This is designed to prevent employees from checking with other colleagues or their immediate superiors about the legitimacy of the request.
- Unusual account numbers. CEO fraud emails may request transfers to different vendor or bank accounts than those to which money is usually transferred.
- Mismatches in the sender’s email address or in URLs within the email. Attackers may use email addresses and links that are slight variations of email addresses and websites, designed to slip past the notice of recipients who are in a hurry to comply with the sender’s request.
- The display name, or friendly name, which may reveal that an attacker is trying to spoof and internal email address.
- The sender’s domain name. Attackers will often use a domain name that is very similar to the recipient’s domain name, with small differences that may not be noticed immediately.
- The registration date of the sending domain name. Newly registered domains are often used in CEO fraud and may indicate that the message is suspicious.
- Certain words such as “bank transfer” or “wire transfer” in the body of the message that may indicate the message is part of an attack.
- Real-time protection against social engineering attacks that do not use typical tactics such as malware, malicious URLs and weaponized attachments.
- Complete control over how suspicious messages are handled. Messages may be bounced, quarantined or tagged as suspicious to alert users to the possibility of a fraud attempt.
- Comprehensive protection from Mimecast’s threat intelligence infrastructure and Messaging Security teams.
- Security awareness training that educates employees about the potential signs of CEO fraud and other types of cyberattacks.
- Company-wide policies and procedures that require multiple layers of authorization or proper documentation (including purchase orders) and/or verbal approval before money can be transferred or sensitive information can be shared.
- Email security technology that can scan and filter emails in real time in order to block users from opening suspicious attachments or clicking on links which may be malicious.
- Anti-impersonation software that can identify potential CEO fraud attacks by scanning the header and content of email for the signs of malware-less, social engineering techniques often used in these attacks.
- DNS authentication services that use DMARC, DKIM and SPF to determine the legitimacy of emails.
- Anti-malware and anti-spam programs that can stop certain emails at the email gateway.
CEO fraud prevention with Mimecast
Mimecast provides security, archiving and continuity cloud services that protect business email and deliver comprehensive email risk management in a single subscription service. Mimecast Targeted Threat Protection with Impersonation Protect offers highly effective defenses to combat CEO fraud, improve whaling security. Impersonation Protect scans inbound email for key indicators that suggest the message may be part of a CEO fraud attempt. These include:
Check out our blog for the latest cyber security trends.
Features of Mimecast’s solution for CEO fraud
Mimecast’s Impersonation Protect helps to prevent CEO fraud by delivering:
CEO fraud attack FAQs
What are the most common methods of a CEO fraud attack?
Common methods used in CEO fraud attacks are:
Phishing - Scammers send emails that appear to be from a company's CEO or other senior executive. These emails will often ask for sensitive information, such as login credentials or financial data.
Spoofing - Scammers mimic a CEO's email address and send messages that appear to be from them. Again, these messages will often request sensitive information.
Social engineering – Scammers try to trick people into giving them sensitive information by pretending to be someone they're not. For example, they may call up an employee and pretend to be the CEO in order to get login details.
Who is at the greatest risk of being the target of CEO fraud attack?
There is no definitive answer to this question as CEO fraud attacks can target anyone with an email account. However, certain groups of people may be at greater risk due to their job position or the type of company they work for.
For example, employees who work in finance or accounting are often targeted by CEO fraudsters as they have access to sensitive information that can be used to commit fraud.
Similarly, employees of large companies or organizations are also often targeted, as CEO fraudsters know that these companies tend to have more money and resources that they can exploit.
Ultimately, CEO fraud can target anyone, so it is important for everyone to be aware of the risks and take steps to protect themselves. Some simple steps that you can take to protect yourself:
- Being suspicious of unsolicited emails;
- Don’t click on links or attachments from unknown sources; and
- Verify requests for information or money before responding.
How can enterprises Prevent CEO Fraud?
Effectively preventing CEO fraud requires multiple layers of protection that may include:
How to report CEO fraud?
Attempted or successful CEO fraud attacks should be reported immediately to a company’s IT department, to senior leadership (including the person whose identity was impersonated) and to the bank from which any funds were transferred.
Attacks should also be reported to government agencies working to stop cybercrime such as the Cybersecurity and Infrastructure Security Agency (email@example.com), the Federal Trade Commission (www.ftc.gov/complaint) and the Anti-Phishing Working Group (https://apwg.org/reportphishing).