CEO Fraud – How It Works

CEO Fraud
CEO fraud is up there, along with phishing and ransomware, in the top three cyber threats facing small businesses. CEO fraud comes in a variety of more or less sophisticated forms, but most commonly appears as a forged email or SMS message purporting to come from the CEO or other senior person and asking for money to be transferred to meet some urgent requirement.

CEO fraud differs significantly from the other top three threats mentioned above because it involves knowledge of the target company. To launch a CEO fraud attack, the attacker needs to know the CEO’s name and, ideally, their email address. The attacker also needs to know about relationships between the CEO and members of their team. A great target for CEO fraud is someone in the accounts department, but anyone subordinate to the CEO will do, especially new starters.

If people in your company start to receive emails or SMS message that look like CEO fraud, it is important to treat this differently to spam or phishing attacks. You ought to be aware that a fraudster has taken the time to research and target your company. Having put in the work, they probably won’t give up after one attempt. You need to alert your staff to be vigilant because an ongoing attack is underway.

So, what does the classic CEO fraud message look like? First it looks like it has come from the CEO. It is easy to spoof numbers in SMS messages, which can mean that the CEO’s name is displayed to the recipient. It is equally easy to have an email show any Display Name the attacker wants. It is harder, but not much harder, to spoof the sender’s email address to match the CEO’s email address. In any case, emails received on a mobile phone often only show the Display Name by default.

Signs of CEO Fraud include a sense of urgency and unavailability, in addition to using an unusual email address and not knowing basic employee information (like their phone number)
Signs of CEO Fraud include a sense of urgency and unavailability in addition to using an unusual email address and not knowing basic employee information like their phone number

The content of the message is usually some combination of the following:

  • Request to transfer money, often in an unusual way, e.g., by providing the code on a gift card.
  • Sense of urgency
  • Threatening (or very busy executive) tone
  • Stress on the need for secrecy or confidentiality
  • Unavailability of the sender, e.g., because they have just boarded a flight or started an important meeting.

The message will usually boil down to an urgent requirement on the part of the CEO to immediately access money which only the recipient can currently satisfy. Success for the fraudster depends on the recipient fearing the consequences of not complying immediately.

And how do the fraudsters know who to target? They use the same techniques as traditional hackers who learn early on in hacking school that a successful attack always starts with a reconnaissance phase. They start in exactly the same place as a savvy job seeker and find out all about the company on their website and the social media accounts of their employees. Trainee hackers are also taught to frequent the public online forums (now Facebook more often than not) where their future victims hang out to swap information about their jobs. Not relevant to CEO fraud, but IT forums offer the richest pickings about company infrastructure setups as IT staff seek help with configuring tricky systems and, in the process, provide information about the systems they are installing. Industries in which staff move regularly between companies on short term contracts are especially easy to research as their employees have a very strong incentive to build up a strong online presence and up-to-date track record as evidence of their employability. 

Platforms like LinkedIn are rich pickings for likely targets for CEO Fraud, especially for new employees who may not be savvy to internal policies and procedures
Platforms like LinkedIn are rich pickings for likely targets for CEO Fraud especially for new employees who may not be savvy to internal policies and procedures

How should you look to defend your company and staff against CEO fraud? As always with cybercrime, the single most important defence is awareness. Discussion about cybercrime should form part of your regular staff meetings. Explain how CEO fraud works. But also explain to your team what your procedures are for requesting and authorising money transfers: which should never include the use of gift cards. The CEO will also have to accept that they don’t have the option to demand on the spot cash transfers. Procedures must be followed by everybody. That said, you should also plan for exceptions. What if landing a crucial contract really did depend on the CEO laying their hands on some cash right now? Unlikely, but it could happen. So, establish a protocol that allows for confirmation on a known good channel, e.g., a request by SMS must be confirmed by another named individual by email. The precise details of this protocol can vary but must involve at least two people and two channels of communication.

For email, there are also technical measures you can ask your IT department or provider to deploy.

  • Enforce a standard email format including how your Display Names, Email Addresses and Signatures are displayed (then advise your team that emails that do not match your standard format are likely forgeries).
  • Add a banner to inbound emails that originate outside your organisation where the display name matches the display name of a user inside your organisation. For the CEO, this rule should be modified to display the banner even if the display name doesn’t fully match or the spelling of the name is slightly different.
  • Consider adding a banner to all emails that originate outside your organisation. Users might find this irritating, but an email from the CEO headed by a banner that says ‘this email originated outside your organisation’ will give potential victims pause for thought (which is all that is needed).
  • Setup domain spoofing protection which will block emails from domains that look like yours. For example, you could block emails from domian.com if your domain is domain.com. Making very small changes to the spelling of a domain is a common technique used by attackers.
Setting up banner alerts that warn you when an email comes from outside your organisation with the same name as someone inside the company is one way to help identify fraudulent emails
Setting up banner alerts that warn you when an email comes from outside your organisation with the same name as someone inside the company is one way to help identify fraudulent emails

Though not at first obvious how it protects you from attackers, it also worth considering how you manage your domain name. Your domain name represents you on the Internet and the management of your domain name is a way of managing your online reputation as a legitimate sender of emails. This would need to be the subject of a longer article, but it is worth being aware that by ensuring you have done everything necessary to identify your domain as a responsible Internet ‘citizen’ you also protect yourself against attacks.

If you would like to know more about CEO Fraud, cyber security and making sure your domain management is up to scratch I’d be delighted to hear from you on ciaran@macnamara.co.uk       

Like this article?

Share on Twitter
Share on LinkedIn
Share by Email

Subscribe to our monthly newsletter

Get the best IT tips and Office ideas in your inbox

Further reading

ISO27001

ISO 27001 – We Are Now Certified!

We are exceptionally pleased to announce that as of 14th October 2024 we are now fully and officially ISO27001 certified, a process we started a little over a year ago. We’ve always taken information security seriously, and have been certified with Cyber Essentials and other standards from IASME since 2015. But it’s always been an ambition to go for the internally recognised Gold Standard.

Read More »
Cyber Essentials 2023

Is Your IT Support Cyber Essentials Certified?

Cyber Essentials is the minimum security baseline that all companies should aim to achieve. It checks to ensure that the very basics are covered, such as MFA on all Cloud service accounts, no admin rights for day-to-day use, and that security updates are installed promptly. If you are seeking to certify your own organisation, you should definitely ensure that your IT Support – who likely have far more access and control over your company data than you do – has at least this basic benchmark certification.

Read More »
Scroll to Top