Security awareness

How to prevent CEO fraud – 10 tips

Beth Osborne
August 10, 2018 by
Beth Osborne

CEO fraud scams are on the rise. They aren't that different than other phishing emails, except most get it and think it's from the boss. The FBI labels these types of attacks as BEC (Business Email Compromise) incidents and has issued statements about them. The FBI issued public advisories on the BEC scams, identifying a loss of $215 million from October 2013 to December 2014. These crimes can wipe clean out companies of millions of dollars. Your organization has to be first aware of these crimes before being in a position to prevent them.

Sophisticated Threat Actors

In CEO fraud, threat actors are using a more sophisticated social engineering strategy. The email appears to be from the CEO with instructions to wire funds. Except it's not, and the account is fraudulent. If it's a normal request that doesn't seem out of the ordinary and the receiver doesn't pay close attention, they'll send the request through. Except it wasn't' the boss, and the company was scammed out of money.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

U.S. Companies Have Seen Huge Losses

While you make think cybersecurity protocols would be able to catch these, the truth is they cost businesses real money. Ubiquiti Networks, a technology firm, was such a victim, although the company didn't disclose details. Cybersecurity expert Brian Krebs uncovered it was a BEC which left the company with a loss of nearly $47 million. Moreover, this isn't the only case. The Scoular Company lost over $17 million in a similar scam.

With a threat like this, prevention is key. Prevention comes from awareness and education. Learn more about CEO fraud prevention with these 10 prevention tips.

Educate financial executives on this phishing scam

These threat actors have done their homework. They know whom to target in the financial team; someone who very well may receive real directives on wiring money. So, you'll need to review with these employees how easy it is to spoof the boss. First, they need to check to see if it's the actual email address of the CEO and not a domain that's close. Next, they should ask if they were actually expecting such a request. Finally, they should confirm this directive with the CEO by sending their own email or contacting him/her by phone. There has to be a well-designed process of how to validate these requests.

Always check the numbers

So, it's not so easy to always spot these CEO fraud emails. These cyberhackers are much too clever to trip up with bad grammar. The email may look 100% legitimate. It could actually be coming from the CEO's email because hackers have infiltrated the system. Thus, the numbers have to be checked. Often, the account number is one off from an actual supplier account.

Implement training for all parties

Even those that don't have to send funds. Training on all types of phishing scams and cyber threats should be a hallmark of any organization's security program. Reinforce this training regularly and send out updates when new types of scams are identified. If you keep employees aware, they become vigilant in how they look at emails asking for things that seem abnormal.

Require proper documentation and/or verbal approval for large transfers

If someone receives a wire transfer request for an amount that seems far beyond the norm, it's cause for concern. That's why it's central to institute a policy that the correct documents must accompany all transfers above a certain amount. For certain thresholds, you may want to initiate in-person approvals. This isn't meant to cause a bottleneck so think about the workflow and how extra checks and balances can improve the process, not derail it.

Associate each wire transfer with a purchase order

In most any request for payment from a vendor, there should be a valid purchase order in the accounting system. If a request cannot be matched to a purchase order, then more investigation should occur.

Buy domain names that are variations of your organization's name

Look at variations of different letters but also if numbers are replacing letters. There may be a lot of different possibilities, and this isn't something that should bloom to an excessive cost. Your IT team should be able to advise you of the most likely options and if those are currently for sale.

Add multi-factor authentication (MFA) to all key applications

This is especially true for any financial platforms. This means users have to confirm their identity before being able to commence a wire transfer. It's a good practice for any application used by the organization.

Protect endpoints with more than passwords

You need to engage MFA in this instance as well. Consider a variety of layers of security. This could be mobile fingerprints, one-time password tokens, digital certificates, and biometrics.

Layer on identity controls

For systems that have highly sensitive, confidential, or proprietary data, establish privileged session monitoring. Initiating session monitoring will allow for the control, monitoring, and record of access to systems as the administrator. This type of monitoring can be as granular as keystrokes. This type of monitoring is required for auditing and to meet regulations. Choose an integrated solution for this monitoring and use it as a tool to ensure key systems aren't being infiltrated that could be used to spoof a CEO fraud attack. Integrated means that it can scale no matter how large your group of administrators is.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Flag emails from extensions close to yours

As one of the biggest ways CEO fraud is pulled off, it's all about the almost correct domain. This could be an extra letter added, or maybe it's .co instead of .com. Your network staff should be able to set up a rule that says when any email enters the system with these variations, it should be flagged. The parameters should be set to consider anything that's slightly different. There should be a good way to insert this via an algorithm that uses something like fuzzy logic.

CEO fraud isn't going away. As threat actors become smarter and use social engineering to spoof emails, employees in every organization have to be aware of the dangers. Shining a light on what could happen if security measures aren't heeded could be a very eye-opening experience.

Scam prevention, in the end, is coming at the problem from several perspectives. These 10 tips are a great place to start. While the technical preventive measures are important, perhaps the training and education part of the plan is the most. Empower your employees to spot the scam, not be a victim of it.

Beth Osborne
Beth Osborne