CEO Fraud is a scam in which criminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential banking information.
Example CEO fraud email. Image: Phishme
CEO fraud usually begins with the cons either emailing employees from a look-alike domain name that is one or two letters different from the target company’s actual registered domain name. Many users overlook this red flag, but with a little bit of training to spot social engineering techniques, they can be taught how to spot the phishing attempt.
For example, if the target company’s domain was “vistaprint.com” the thieves might register “v1stapr1nt.com” (substituting the number 1 for the letter “i”). You can easily miss this if reading the email on your smartphone.
According to the FBI’s Internet Crime Complaint Center (IC3) 2016 Internet Crime Report, CEO fraud rose a staggering 270% from 2015 to 2016, with actual losses estimated at $2.3 billion. 11% of US companies acknowledge being attacked.
How does a criminal decide who to target in your organization? If your company has a website with biographies of your team, it’s fairly easy to figure out who might be able to authorize a wire transfer. Sometimes, firms will publish the email addresses of those individuals right on their Web site instead of using a “Contact Me” form like the one from Gravity Forms. We have seen cases recently where criminals will spoof the email address of the President and direct the CFO to wire funds.
Prevent CEO Fraud through User Education
CEO fraud attacks succeed because they rely almost entirely on tricking employees into ignoring or sidestepping some very basic security precautions. Educating employees so that they are less likely to fall for these scams won’t block all social engineering attacks, but it should help. Remember, the attackers are constantly testing users’ security awareness. Organizations might as well be doing the same, using periodic tests to identify problematic users and to place additional security controls on those individuals.
No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger so start here:
- Train users on the basics of cyber and email security
- Train users on how to identify and deal with phishing attacks with new-school security awareness training
- Implement a reporting system for suspected phishing emails such as the Phish Alert Button from KnowBe4
- Continue security training regularly to keep it top of mind
- Frequently phish your users to keep awareness up
The best training programs baseline click rates on phishing emails and harness user education to bring that number down. Don’t expect a 0% click rate though. Good employee education can reduce phishing success significantly, but there is always someone who doesn’t pay attention, is in a hurry that day, or is simply outsmarted by a very clever cybercriminal.
with our team to learn more.