According to the FBI, instance of CEO fraud are dramatically on the rise. Costing businesses an estimated $2.3 billion over the past three years, victims are usually duped by scammers who impersonate a company’s CEO via email then have money wired to the criminals’ account.
Typically this type of attack starts with either sending a phishing email to an executive with a company in order to gain access to their email account or sending emails to employees from a domain name that is similar enough to the company’s legitimate domain that the email goes through unnoticed. These type of emails don’t set off spam filters because they are targeted and unlike other phishing scams are not sent en masse. Very often red flags aren’t raised because the criminals have done their research in order to spoof a business’s internal language, relationships with other companies, purchasing plans, etc.
If an employee falls for a phishing scam, the hackers go over every inch of a victim’s website and through any employee email they can get access to. Once they have access they are looking for any information on how that business performs financial transactions, so any email with the words “deposit” or “invoice” are of special interest, especially if it turns up that the company makes wire transfer with any frequency. Unlike other phishing scams where criminals interact with a victim’s bank directly, a CEO scam tricks the victim into doing the work for them.
According to the FBI, the average victim of CEO fraud loses between $25,000 and $75,000, but there are examples of businesses losing millions. In 2015, the children’s toy manufacturer Mattel was a victim of one of these types of phishing attacks and ultimately lost $3 million, while the tech firm Ubiquiti reported a $46.7 million loss as the result of CEO fraud.
Like in every other aspect of web security it’s a good idea to use multi-level authentication and be on the lookout for spoofed email addresses. You should also be wary of any allegedly urgent wire transfer request that comes through email. Also, take the extra step to reach out and contact that person or organization to verify their identity. Simulated phishing attacks are a good way to get employees familiar with tactics scammers use in order to recognize attacks when they happen.
A lot of organizations interact with the public through social media or their websites, but companies may want to be wary of what information they publish. In many cases the attackers scour this information in order to find a time when executives may otherwise be out of the country in order to find an ideal time to attack.