According to the FBI’s Internet Crime Complaint Center (IC3) 2016 Internet Crime Report, CEO fraud that spoofs senior executives ranks among the most prevalent and costly of all cyber attacks reported by businesses and individuals. Such crimes rose a staggering 270% from 2015 to 2016, with actual losses estimated at $2.3 billion. 11% of US companies acknowledge being attacked.
CEO fraud generally involves some form of business email compromise (BEC), spear phishing attack or whaling scam in which a series of bogus emails from a company’s CEO, CFO or other senior executive persuade the targeted employee to quickly transfer funds into fraudulent accounts in a manner that bypasses the usual safeguards. Unlike conventional phishing attacks, which are generic and blasted to as many people as possible, CEO fraud emails are much more customized and convincing. Often their tone is personal, and they contain no malware payloads or links that security controls would red-flag.
CEO email fraud requires careful reconnaissance and social engineering, including gleaning snippets of information (e.g., executive contact details, titles, contacts and even travel plans) from company websites and social media, such as LinkedIn. Scammers often prefer to initiate CEO spoofing when the executive they’re impersonating is away at a conference or meeting, because this may forestall the victim from contacting the executive directly regarding the phony request. The hackers may even have access to victims’ email inboxes, and thus could know a great deal about a company’s wire transfer activity and procedures.
The FBI estimates organizations victimized by CEO fraud lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars. For example, Ubiquiti Networks, a Silicon Valley tech firm, was gutted by a $46.7 million attack, while Crelan Bank in Belgium reported being scammed out of $76 million.
Prevent CEO Fraud with Security Awareness Training
White-hat testing has shown 33% of Fortune 500 C-level executives will fall for spear-phishing attacks and other similar business email compromise scams—even to the point of revealing login credentials. This clearly indicates businesses are under threat of major data breaches aimed at these high-profile targets. Indeed, CEO spoofing may include not only a direct wire transfer scam, but also an Advanced Persistent Threat (APT) type of attack aimed at a firm’s “crown jewels.”
CEO fraud succeeds because it cons employees into disregarding established security controls. With hackers constantly probing your company’s security awareness, educating vulnerable employees—including senior executives—is the most effective way to thwart these increasingly sophisticated and prevalent attacks.