CEO fraud costs UK businesses millions of pounds each year and is an increasing threat across the world economy. However, there are ways you can mitigate the risk of business email compromise and the threat of CEO fraud.
What is CEO Fraud?
CEO fraud, a variant of Business Email Compromise (BEC), is when a malicious actor purporting to be a senior company executive communicates with employees and requests payment be made to a third-party bank account. This type of fraudulent activity affects organisations within all business sectors and is becoming ever more sophisticated.
How is it executed?
Numerous techniques and sources are used to collate relevant information to assist with successful CEO fraud, such as social engineering via email and telephone. The WSJ reported that a UK-based energy firm was a victim of fraud where a criminal entity utilised artificial intelligence software to impersonate a chief executive’s voice and demand a transfer of £200,000.
Most attacks follow from successful blanket phishing, or ‘spear phishing’ emails, where the individual sends their credentials inadvertently to a threat actor, and the account is successfully compromised.
Following the intrusion, after a period of discovery in which they identify a suitable individual to target, an email is sent, containing instructions to send payment and usually stating an urgent situation or confidentiality to reduce any scrutiny and verification, typically to a more junior member of the organisation.
Fraudsters will commonly target an organisation’s finance department in an attempt to convince unsuspecting employees into transferring funds to a fraudulent bank account.
Sometimes, senior executives’ accounts are not even breached, they are merely ‘spoofed’. That is, a domain looking very similar to the organisations will be registered, and an email address with the individual’s same details will be registered.
The fraudsters are counting on the recipient not noticing this discrepancy and that they will comply with the urgent transfer request. To establish further legitimacy, they will include subject lines with “Re:” or “Fwd:” to masquerade the email as part of a previous conversation.
How to mitigate the risk of CEO fraud
Many steps can be taken to prevent this form of business email compromise/‘man in the middle’ attack. Ultimately, it largely comes down to human error.
Some useful steps are:
- Ensure all staff, but particularly departments such as finance are educated about this kind of scam;
- Be cautious of any unexpected emails requesting urgent bank transfers, even if they appear to have originated from someone within your organisation;
- Independently verify any payment requests stating new or amended bank details received by an alternative channel of communication, such as email, letter or phone;
- Ensure your business’s IT infrastructure is secure and all computers have appropriate security measures in place, including up-to-date antivirus software;
- Establish internal processes for the request and authorisation of all payments and be vigilant of any payment requests outside of the standard process;
- Introduce two-factor authentication within the payment process.