CEO fraud differs significantly from the other top three threats mentioned above because it involves knowledge of the target company. To launch a CEO fraud attack, the attacker needs to know the CEO’s name and, ideally, their email address. The attacker also needs to know about relationships between the CEO and members of their team. A great target for CEO fraud is someone in the accounts department, but anyone subordinate to the CEO will do, especially new starters.
If people in your company start to receive emails or SMS message that look like CEO fraud, it is important to treat this differently to spam or phishing attacks. You ought to be aware that a fraudster has taken the time to research and target your company. Having put in the work, they probably won’t give up after one attempt. You need to alert your staff to be vigilant because an ongoing attack is underway.
So, what does the classic CEO fraud message look like? First it looks like it has come from the CEO. It is easy to spoof numbers in SMS messages, which can mean that the CEO’s name is displayed to the recipient. It is equally easy to have an email show any Display Name the attacker wants. It is harder, but not much harder, to spoof the sender’s email address to match the CEO’s email address. In any case, emails received on a mobile phone often only show the Display Name by default.
The content of the message is usually some combination of the following:
- Request to transfer money, often in an unusual way, e.g., by providing the code on a gift card.
- Sense of urgency
- Threatening (or very busy executive) tone
- Stress on the need for secrecy or confidentiality
- Unavailability of the sender, e.g., because they have just boarded a flight or started an important meeting.
The message will usually boil down to an urgent requirement on the part of the CEO to immediately access money which only the recipient can currently satisfy. Success for the fraudster depends on the recipient fearing the consequences of not complying immediately.
And how do the fraudsters know who to target? They use the same techniques as traditional hackers who learn early on in hacking school that a successful attack always starts with a reconnaissance phase. They start in exactly the same place as a savvy job seeker and find out all about the company on their website and the social media accounts of their employees. Trainee hackers are also taught to frequent the public online forums (now Facebook more often than not) where their future victims hang out to swap information about their jobs. Not relevant to CEO fraud, but IT forums offer the richest pickings about company infrastructure setups as IT staff seek help with configuring tricky systems and, in the process, provide information about the systems they are installing. Industries in which staff move regularly between companies on short term contracts are especially easy to research as their employees have a very strong incentive to build up a strong online presence and up-to-date track record as evidence of their employability.
How should you look to defend your company and staff against CEO fraud? As always with cybercrime, the single most important defence is awareness. Discussion about cybercrime should form part of your regular staff meetings. Explain how CEO fraud works. But also explain to your team what your procedures are for requesting and authorising money transfers: which should never include the use of gift cards. The CEO will also have to accept that they don’t have the option to demand on the spot cash transfers. Procedures must be followed by everybody. That said, you should also plan for exceptions. What if landing a crucial contract really did depend on the CEO laying their hands on some cash right now? Unlikely, but it could happen. So, establish a protocol that allows for confirmation on a known good channel, e.g., a request by SMS must be confirmed by another named individual by email. The precise details of this protocol can vary but must involve at least two people and two channels of communication.
For email, there are also technical measures you can ask your IT department or provider to deploy.
- Enforce a standard email format including how your Display Names, Email Addresses and Signatures are displayed (then advise your team that emails that do not match your standard format are likely forgeries).
- Add a banner to inbound emails that originate outside your organisation where the display name matches the display name of a user inside your organisation. For the CEO, this rule should be modified to display the banner even if the display name doesn’t fully match or the spelling of the name is slightly different.
- Consider adding a banner to all emails that originate outside your organisation. Users might find this irritating, but an email from the CEO headed by a banner that says ‘this email originated outside your organisation’ will give potential victims pause for thought (which is all that is needed).
- Setup domain spoofing protection which will block emails from domains that look like yours. For example, you could block emails from domian.com if your domain is domain.com. Making very small changes to the spelling of a domain is a common technique used by attackers.
Though not at first obvious how it protects you from attackers, it also worth considering how you manage your domain name. Your domain name represents you on the Internet and the management of your domain name is a way of managing your online reputation as a legitimate sender of emails. This would need to be the subject of a longer article, but it is worth being aware that by ensuring you have done everything necessary to identify your domain as a responsible Internet ‘citizen’ you also protect yourself against attacks.
If you would like to know more about CEO Fraud, cyber security and making sure your domain management is up to scratch I’d be delighted to hear from you on ciaran@macnamara.co.uk
