According to the FBI, it’s a 12.5 billion dollar problem: CEO fraud cost global businesses $12,536,948,299 between October 2013 (when formal reporting to the Internet Crime Complaint Center (IC3) began) and May of 2018. But this figure, however alarming it sounds, likely represents only the tip of the iceberg when it comes to email-based scams targeting senior executives.
Though experts agree that CEO fraud has caused greater financial losses than any other type of cybercrime, they also speculate that it’s probably vastly under-reported. That’s because the kinds of damage it causes extend far beyond simple and immediate monetary losses. Otherwise successful CEOs have been fired, and their most loyal employees have seen their careers ruined. Stock prices have plummeted. And incalculable damage has been done to brand reputations.
As 2019 gets underway, we expect that CEO fraud will become even more prevalent. FBI data shows that global exposed losses increased by 136% from 2016 to 2018, and there are no signs of a slowdown in the trend.
Businesses large and small in a wide variety of industries—ranging from technology to manufacturing, and from hospitality to financial sector—are at risk. So, too, are government agencies and nonprofits. And C-level executives are not the only personnel being targeted; employees in departments ranging from finance and accounting to Human Resources have been victimized by these attacks.
What can be done to reduce your individual business’s vulnerability? How can you protect against this growing threat?
Understanding the Problem: What is CEO Fraud?
CEO fraud is a type of business email compromise (BEC) involving impersonation. In these attacks, a criminal assumes the identity of a CEO or other senior executive within an organization and sends out emails to staff requesting payment—usually via international wire transfer—or the release of account credentials or sensitive information. Scammers look for businesses that have foreign suppliers or that regularly make large payments by bank transfer. These attacks are often highly effective because they’re so meticulously targeted.
Although perpetrators employ a variety of tactics, it’s not uncommon for them to have gained access to their victim’s network long before the malicious email was sent. They may have spent weeks or months studying the organization’s structure, billing systems and vendor relationships. By turning to social media, they may also have learned about the personal lives and relationships of employees, and analyzed their typical communication styles.
At the right moment—these emails are often sent while the CEO is away from the office—the criminals will make their request. Although the email is bogus, it may originate from the executive’s legitimate (but compromised) email account. Or it may be custom-crafted so as to appear highly realistic. These requests are designed to create a sense of great urgency, demanding that their recipients take immediate action. The target believes he’s sending money to a familiar vendor’s account, just as he’s done in the past. But the recipient’s account number is slightly different, and the funds transferred—which might be tens or hundreds of thousands of dollars—end up in the hands of criminals.
The scammers aren’t always seeking an immediate payout. Sometimes they’re trying to obtain employees’ pay stubs, tax statements or other personally identifiable information (PII) to perpetrate tax fraud or identity theft.
Protect Your Business by Teaching Vigilance
Like other types of socially engineered attacks, CEO fraud exploits universal human weaknesses: employees who are busy, stressed, tired or careless are less likely to notice warning signs in the email messages they receive. The good news is that merely increasing employee awareness has a protective effect. And implementing a mature and well-designed anti-phishing training program can reduce susceptibility across your entire organization by more than half.
To be truly effective, however, security awareness training has to be carried out frequently enough for its lessons to remain memorable: educating employees only during the onboarding process or in annual sessions isn’t enough to reduce their vulnerability. The most effective anti-phishing education programs provide ongoing, immersive training that is targeted, specific and increasingly challenging.
But no security awareness training program, however sophisticated and carefully implemented it may be, can completely protect against human error. That’s why it’s critical to establish policies and procedures for wire transfer authorization that include multiple forms of authentication. Your organization might, for instance, require that all payment transfer requests larger than a certain amount be confirmed face-to-face or by telephone. It’s also important to institute firm policies regarding access to and release of customer and employee PII, financial information and intellectual property.
Protect Your Business with Technical Controls
The majority of the most sophisticated and successful BEC attacks in 2018 took place together with a broader compromise of the targeted organization’s network. And the statistics are clear: as with the risk of a data breach in general, the risk of an executive’s email account being compromised increases the longer the attackers remain undetected on a network. Thus adopting an “assume breach” mentality—which means emphasizing ongoing network monitoring and working to reduce detection time—is the most effective strategy to combat this ongoing threat.
Implementing identity and access controls such as two- or multi-factor authentication for key applications is also a must. Improving authentication protocols is the single most effective step you can take to mitigate the risks associated with credential theft and compromise. Although multi-part authentication systems requiring the use of hardware tokens and verification from a second device are most secure, even a simple system that uses SMS-messaging to confirm credentials offers significant protection against BEC and phishing attacks.
The FBI recommends that simple rule-based systems for detecting fraudulent emails also be put into place. These rules can flag emails with suspicious extensions, such as those differing from the company’s extension by a single letter or character (i.e., my~company.com instead of my-company.com) or those that contain a reply-to address that doesn’t match the “sender” address displayed in the message header.
The Securli integrated platform now includes VeriPhi, an automated email protection system that relies on machine learning to identify malicious IP addresses and domains. VeriPhi draws upon threat intelligence from more than 78 external sources, including crowd-sourced intel feeds, as well as commercial, government and open sources. Its advanced machine learning based algorithms enhances this intelligence with real-world data gathered from your network, enabling it to become more accurate and efficient as it “learns” about the email traffic your business typically generates.
Contact us to learn more about how the Securli platform’s multilayered defenses can protect your organization from CEO fraud today.