How to Mitigate the Widespread Risk of CEO Fraud
In 2021, reported global cyberattacks increased 125%. This proves that cyberattacks show no signs of slowing down.
Businesses are focusing their attention on how to protect against cyberattacks, and they’re continuing to fine-tune their approach to fight against these vulnerabilities. Cybercrime is on track to become the third-largest economy worldwide.
In order to stay ahead of any threat, businesses have to remain vigilant to existing threats and any new ones that might emerge over time. One threat that seems to be increasingly occurring is the act of “CEO Fraud” – and it’s running rampant in 2022.
CEO Fraud, also known as Business Email Compromise (BEC), preys on email recipients by impersonating communication from C-level executives. Threat actors who send these malicious emails intend to gain access to information, or benefit from lower-level employees performing tasks on behalf of the superior.
The cybercriminals pose as a C-level executive to try and trick them into accomplishing a variety of tasks such as executing a wire transfer, amending an invoice payment address, providing payroll information, purchasing gift cards, or otherwise disclosing sensitive company or employee information. This type of attack is effective - according to a 2021 report from the FBI’s Internet Crime Complaint Center (IC3), CEO Fraud is the highest-grossing type of cyberattack.
The risk of CEO Fraud is high, especially in today’s day in age when many work-related requests come in the form of some sort of digital communication rather than face-to-face contact. In order to thwart CEO Fraud, ongoing education to employees and communication with end users is necessary so they can understand how to spot Business Email Compromise attacks. In order to education employees and end users, you must know the different techniques used in this type of attack, which can include:
Phishing: Criminals can infiltrate organizational systems by phishing information from the CEOs themselves. Phishing emails can also be used against the employees by using the credentials of C-level Executives to make contact with the employees to request they perform a task that may seem well-intended, but is actually malicious in nature.
Spear Phishing: Similar to a regular phishing attack, Spear phishing requires a slightly larger time investment for cybercriminals. In this type of attack, the threat actor will craft an email with specific information to gain trust. After the trust is established, the criminal can trick employees into supplying details or performing tasks that have malicious intent.
Executive Whaling: In this type of attack, rather than targeting lower-level employees, the threat actors will target C-level employees instead. Executive Assistants are also frequent targets of Executive Whaling attacks given their close proximity to organizational heads. They also usually have access to sensitive information other employees wouldn’t. This type of attack, like a spear phishing one, begins with extensive research before carefully crafting an email to gain the executive or assistant’s trust.
Social Engineering: This attack uses a personalized phone call or text message to use conversation to gain trust. Once trust is established, the attacker can gain access to proprietary information, or convince employees to unknowingly perform a malicious task.
Although C-level executives, assistants and employees in financial roles are targeted sometimes too, many CEO Fraud attempts involve employees outside of this organizational circle. Any employee in your organization can be the target of a BEC attack. Your organization needs to implement proper cyber hygiene to help protect your business. Some steps you can take to mitigate your organization’s risk of this type of attack include:
Ensuring that you have strict guidelines for authorizing transactions, including segregation of duties
Limiting the information shared on company websites, and other social media to curb the use of personal information as leverage for fraudulent requests
Running periodic penetration testing to gain a real-world understanding of risk profiles
Mandating two-factor authentication (2FA) for end users, particularly those in high-risk groups or departments like HR, IT, Finance and C-level employees
Enforcing and regularly reviewing zero trust policies
Registering multiple domains to maintain control of any similar addresses that may be easily confused as your own
Although the risk of CEO Fraud is high, with the right cyber hygiene and education to spot these types of attacks, your organization can mitigate risk.
Story via Tripwire