CEO fraud – it’s growing in prevalence, you’ve probably heard it mentioned and you should definitely be on the lookout for it. But what is CEO fraud? How damaging is it? How can you protect yourself and your business from it? Read on as we answer these questions and more.
What is CEO fraud?
CEO fraud, also known as Business Email Compromise (BEC), is an effective form of email phishing. At the heart of it, a cyber criminal targets staff members via phone or email, impersonating the CEO or a senior executive from your business or organisation, to trick you into diverting payments for goods or services into the wrong bank account.
Typically, the cyber criminals target finance departments and these attacks are extremely effective.
Why are they so effective?
Unlike traditional email fraud, these messages are not part of mass-email campaigns. They are more targeted. CEO Fraud attacks are so effective because the cyber criminals do their research.
They have done extensive research on your organisation’s and they know where the business is located, who your executives are, what organisations you work with.
They have learned everything they can about you and your coworkers from your social media accounts including LinkedIn, Facebook, and Twitter.
They then research and target specific employees. If they’re looking for money, they target the accounts department. If they are looking for tax information, they target human resources. If they want access to data, they target the IT department.
How damaging is it?
According to Action Fraud, the largest amount money ever transferred by an employee to a fraudster was £18.5m with the average amount stolen using CEO fraud believed to be around £35,000.
A survey by the Association of Financial Professionals polled treasury and finance professionals and found that, in 2017, 77% of organisations had experienced attempted CEO Fraud attacks.
With the total loss to small firms as a result of fraud recorded at around £18.9bn each year, it’s suffice to say that this is a very damaging phenomena for businesses.
How to spot CEO fraud?
You might think – “I’d never be caught out by something like this, there’s simply no way!”, but think again. The facts are in the numbers and the cyber criminals get better by the day. Trustwave release the full transcript of a genuine CEO fraud transaction.
Click here to view transcript
However, there are some things you can ask and some things you can do consistently to increase your chances of spotting CEO Fraud.
- Is the email looking for you to give over something of value?
This could be money, access right, data, information. Whenever an email comes through requesting something of value, it should flag extra attention and scrutiny.
- Is it in line with email requests you would normally get?
Does this person normally email you? Should other people be cc-ed on the email? Does it goes make you go outside of normal procedures in any way. You have procedures in place for a reason. If you normally would just authorise a payment and they want you to set it up, flag it. If you would normally give standard access and they want admin access, flag it.
- Check the email address.
94% of all CEO fraud scams involve a deceptive display name and an email address that is different to the address they would normally email from. Check and double check, make sure the email is the same and the domain name (domainname.com) is correct.
- Always ask the question.
Hearing from your CEO can sometimes be daunting. Cybercriminals know this and leverage it. But, the one thing that will put yourself at the lowest risk of CEO fraud is asking the question: “Does this seem right to you?”. Don’t be embarrassed to ask. Ask your manager, ask your boss, ask the CEO or, ask a colleague to review.
With the prevalence of CEO Fraud consistently on the rise, it pays to double check!