CEO Fraud is a fraud in which a cyber-criminal who appears to be the boss of the company tricks an employee at the organization by sending bogus emails for transferring funds.
CEO Fraud, also known as BEC (Business Email Compromise), is very easy to commit. The fake email does not require any malicious code or links. It is the social engineering that makes it work. It is one of the fastest-growing social engineering schemes used by cybercriminals.
The U.S. FBI warned about a rapid increase in this type of fraud. CEO Fraud is harder to detect than a simple phishing scam, as the emails used in this attack pass antivirus scans because there is no malware in the emails.
How does it work?
The execution of CEO Fraud takes place in the following manner:
Firstly, the cyber criminals impersonate the CEO of a company by gaining access to the person’s inbox through phishing or other social engineering techniques.
Then the criminals send a fake email to a finance department employee asking him to wire funds immediately to a particular bank account, usually located outside the country. The tone of the emails is usually urgent.
As these emails contain no malicious links or attachments, therefore they can easily pass through employees’ inboxes.
Unlike conventional phishing scams, the spoofed emails used in CEO Fraud are the targeted phishing scams which are not mass e-mailed. Also, the criminals take the time to understand the activities and interests of the target organization.
Detecting that the email is fraudulent is not an easy task for the employees. The employees think that they have received a legitimate email from their CEO and they are required to transfer a large amount of money.
Once the criminals gain funds in their account, they quickly convert the money into untraceable forms, using money laundering
When the business finds out about the business fraud, the employee who transferred the money may face suspension from the job. All the losses are reported internally. Many companies are required to disclose their losses publicly. These revelations lead to damage to the reputation of the company.
How Much Losses Have Companies Faced?
According to the FBI, these scams have cost a loss of more than $2.3 billion over the past three years to various organizations. The FBI also said that since January 2015, it has seen a 270 percent increase in CEO Fraud. It received complaints from every U.S. state.
Xoom – In January 2015, Xoom Corporation, USA, an international money transfer company suffered from a $30.8 million loss in the fourth quarter of 2015.
Scoular – Scoular Corporation, an Omaha-based commodities trading company lost $17.2 million in a spear phishing scam.
Ubiquiti Networks – Ubiquiti Networks, a San Jose-based networking technology company lost $46.7 million by wiring this sum to a Hong Kong bank account controlled by attackers.
As a business, take the following measures to prevent CEO Fraud:
Incorporate security measures to prevent outsiders from discovering information about employee activities on your website or social media.
Make use of periodic tests to identify dishonest employees. Also, place additional security controls on the employees.
The best way to prevent these attacks is to be suspicious. Whenever you get an email asking you to transfer a large amount of money, call your boss to see if it is genuine or not.
Tighten up processes for transferring money. Establish other communication channels such as phone calls for verifying significant transactions. Do not rely solely on electronic communication for these types of financial transactions.
Check who owns similar domains of your websites or email.
Verify that the request is genuine or not by calling back the person using the contact information known to you and not the one given in the email.
Be wary of any unusual money transfer request (such as a request for transferring high amounts to an unknown or foreign account).
Educate employees about these preventive measures so that they are less likely to fall for these scams.