The number of “Business Email Compromise” (BEC) incidents, also known as “CEO fraud” scams, is on the rise. The scam is simple: cyber thieves use sophisticated social engineering tactics to trick business professionals or executives into wiring funds to fraudulent overseas accounts.
And the impact of CEO fraud is significant. Technology company Ubiquiti Networks, for example, was swindled out of almost $47 million. Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, it has compiled statistics on 7,000+ U.S. companies that have been victimized—with total dollar losses exceeding $740 million. And that doesn’t include victims outside the U.S., or corporate losses that went unreported.
CEO fraud has proven surprisingly successful, and as a result, the number of attacks is growing. According to IC3, there has been a 270% increase in identified BEC victims since 2015, and victimized organizations reside in all 50 U.S. states and nearly 80 countries abroad. In fact, even Centrify was a target of a CEO fraud scam.
Beware the Signs of CEO Fraud
CEO fraud typically begins with scammers either phishing an executive and gaining access to his mailbox, or emailing employees from a domain name that’s very similar to the target’s domain name (but off by one or two characters). The thieves have usually taken the time to understand the target organization’s management structure; in this way finance execs can be duped into creating financial transfers without going through proper authentication processes.
For example, a controller or accounting manager is notified by email that the CEO wants a money transfer for what appears to be valid business reasons. They follow directions, thinking the CEO has initiated the request—and not realizing that they are sending money to cyber thieves.
Another technique is to pose as the CEO and describe the need for the CFO (or someone else in accounting) to act as part of a “secret project” can’t be discussed with anyone else at the company. These phony emails typically also stress the urgency of completing the wire transfer as quickly as possible.
Scamming methods are also becoming increasingly sophisticated. These type of thieves know how to pull off the crime without raising suspicions, according to FBI agents. They use language specific to the targeted company, along with dollar amounts that don’t raise eyebrows. As FBI Special Agent Maxwell Market says in an online article, “The days of these e-mails having horrible grammar and being easily identified are largely behind us.”
To make matters worse, the criminals often employ malware to infiltrate company networks. This gives them access to legitimate e-mail threads about billing and invoices, making the transfer request appear more credible.
Instead of making a payment to a trusted supplier, the scammers direct payment to their own accounts. Sometimes they succeed at this by switching a trusted bank account number by a single digit. Cyber criminals, who have the resources to research and target hundreds of companies, work on the law of averages. After all, a 1% response on millions of phishing emails qualifies as success.
Protect Against the Risks by Implementing Best Practices
Preventing CEO fraud means taking preventative measures. What follows are a series of best practices for protecting your organization.
- Educate executives and your finance team about CEO fraud, and implement training programs around privacy and security. Employees must be vigilant about responding to requests for money transfers or confidential information.
- Require proper documentation and approvals for all wire transfers. Develop a manageable process that ensures that all approvals are met before wire transfers are initiated.
- For large wire transfers, request verbal approval or confirmation.
- Ensure that all wire transfers are associated with an actual purchase order in your accounting system. This helps validate all transfers.
- Add multi-factor authentication (MFA) to all key apps—especially your financial applications—so users must confirm their identity when initiating a wire transfer.
- Protect endpoints with mobile fingerprints, mobile push notifications, Smart Cards, one-time password (OTP) tokens, digital certificates, biometrics, and more. With so many credentials at risk, password-based security is no longer effective. MFA, which requires multiple methods for identification, is one of the best ways to prevent CEO fraud.
- Layer on other identity controls such as privileged session monitoring for systems containing sensitive or confidential information. This allows you to proactively identify insider threats and simplify forensic investigations to prevent future threats, and it helps protect the organization in the case of compromised employee credentials.
- Purchase domain names (ask your marketing department or IT group) that are variations of your organization’s name. For example, if you have a lower case “i” in your name, buy the domain where a lower case “i” is swapped for the upper case “I.” Or, if you have an “E” in your domain name, buy the domain that has a “3” for an “E.”
- The FBI recommends that security teams create system rules that flag e-mails with extensions that are similar to the company’s. For example, while an e-mail from abc_company.com can be legitimate, the system would flag a similar looking, fraudulent e-mail from abc-company.com.
- Advise administrative staff not to reveal the CEO’s location at any time, since this information could be used to trigger a fraudulent scam.
CEO fraud is a rapidly growing problem that impacts companies of all sizes, in all regions of the world. Scammers have been particularly successful in companies with rigid management cultures that also lack sufficient checks and balances within the accounting department. Implementing a best practices approach can help protect your organization from becoming the next headline relating to CEO fraud.
For more information, read more about Centrify’s first-hand encounter with CEO fraud. You can also download this CEO Fraud Prevention Solutions Brief as a primer for preventing CEO fraud.