CEO fraud is a type of “business email compromise” scam, defined as BEC, where CEO official email account spoofed by cyber criminals to try and fool an employee in Finance or HR into executing unauthorized fund transfers or breaching out confidential information.
These are the advanced scam targeting businesses working with foreign suppliers and companies that regularly perform online fund transfers. Social engineering and computer intrusion techniques are carried out to execute these scams to compromise official email accounts to conduct illegal transfers of funds.
Cybercriminals tried to steal 5.3 Billion dollars through CEO Fraud scam, happened in the last quarter of the year 2016, reported by FBI. Most victims are in the US, but companies in 100 other countries have also reported incidents. While the fraudulent transfers sent to many countries, most end up in Hong Kong and China. Unless the fraud activity identified within 24 hours, the chances of recovery are small, like less than 4%.
Other than CEO, the group of employees considered to be the primary target includes representatives from finance, HR, IT and other C-level executives. The cyber criminals gain entry into finance department via phishing and hijack a relevant email account to send a request to authorized employee in finance to transfer the funds.
HR usually receives the resume with spyware and request from spoofed email to provide employee’s sensitive information and email addresses to cyber criminals. IT personnel have complete information of email accounts, passwords and other credentials, which can be hacked making that department vulnerable.
C-level executives are considered to be the main target of cyber criminals since majority possess some financial authority, and if their email accounts got compromised, cyber criminals could retrieve all kinds of confidential data.
The key to prevention is to identify the scenarios and different methods of attack.
- Acts like requesting for fund transfer to a foreign supplier, but funds transfer to the different account. These request looks genuine as it comes from correct email address.
- Employee’s email account spoofed and sending invoices out to company suppliers, money transferred to the fraudulent account.
- Act to be lawyers or executives dealing with confidential and time sensitive matters.
- Spoofed executive email accounts sent an email to the HR department, accounts or auditing departments to breach company list of personal information.
Different Methods of Attack
Social Engineering – Social engineering means the use of psychological manipulation to trick people into providing confidential information or access to funds. The art of social engineering might include digging information from social media sites. LinkedIn, Facebook and other venues present a wealth of information about organizational personnel.
Phishing – Phishing emails are sent to executives simultaneously in an attempt to “fish” sensitive information with legitimate-looking logos and almost same looking email address.
Spear Phishing – The cyber criminals use this much more focused form of phishing to target one person or small group of individuals who use a particular bank or service which includes some personalized information like person’s name or client name.
Executive Whaling – The cybercriminals target top level officials and administrators, typically to draw off money from the account or steal confidential information with detailed knowledge of executive and the organization.
Holistic Approach of People Process Technology
How holistic approach of People Process Technology can be implemented to improve the cyber security measures. Even though most effort and investment would be on technology, cyber criminals always find a way in weakest link in an organization, employees, regardless of how efficient is the defense perimeter designed.
- Employees are the weak link for cyber criminals in any organization
- Continuous security awareness among the users, technologists, and management
- Each user needs to be able to recognize phishing emails, scams, social engineering from a mile away
- Continuously testing users with simulated phishing emails
- Rewarding scheme for vigilant and security conscious user behavior
- Identify targeted users and implement more controls to safeguard this perilous user.
- Institute technical controls and take actions.
- Implement a security policy and review it through gap analysis.
- Develop standard procedures for IT as well as Non-IT employees.
- Scheduled and ongoing risk assessment
- Control on data and its handling across the organization
- Always keep an eye on spoofed emails.
- Incident response and management process.
- Inform your bank immediately to block all fraudulent transfers.
- Contact your legal department, law enforcement department and file a complaint.
- Conduct digital forensics investigation.
- Conduct an internal investigation and isolate security policy violations.
- Vulnerability assessment and penetration testing process.
- Use technology for timely and consistent patching of software.
- Antivirus and anti malware with behavioral detection
- Intrusion detection and prevention
- Firewalling – network, and application
- Email and web filtering
- Two-factor authentication
- Backup solutions -offline and online
- Restrict download and removable media.
- Encryption and key management
- Security hardening and right technology configuration
Even though virus and malware defense has long viewed as a purely IT problem, organizations should appoint Chief Information Security Officers (CISO). However, information security often considered as a challenge that lies well below board or C-level attention. Organizations must take reasonable measures to prevent cyber-incidents and mitigate the impact of certain breaches since CEOs are responsible for restoring normal operations after a data breach and ensure that company assets and the company’s reputation protected.