How To Protect Our CEOs From Cybercriminals

CEO Fraud is a scam where cybercriminals spoof company email accounts and impersonate executives to try and fool employees into executing unauthorized wire transfers or sending them confidential tax information. It takes aim at personally identifiable information, rather than merely tricking accounting staff into scheduling fraudulent wire transfers.

CEO Fraud is a form of Business Email Compromise (BEC) where a cybercriminal impersonates a high-level executive (often the CEO). Once they convince the recipient of the email (employee, customer or vendor) that they are legitimate, they then attempt to get them to transfer funds or confidential information.

Is CEO Fraud A Serious Threat?

In early 2016, the FBI began warning businesses about a substantial increase in what they call “CEO Fraud”, a cybercrime method in which the criminal impersonates a C-level executive over email to trick the recipient into divulging crucial information or processing a massive e-transfer of company money.

Key examples include:

  • In 2015, toy industry giant Mattel lost $3 million in a CEO fraud scheme
  • The same year, tech industry member Ubiquiti gave away $46.7 million to a scammer posing as a C-level executive over email
  • The Scoular Co., an 800+ employee company, lost $17.2 million when an executive wired the money to a bank in China

How Does CEO Fraud Work?

  • Phishing & Spear Phishing: Phishing is a hacking technique that “fishes” for victims by sending them deceptive emails. Spear phishing is the much more focused form of phishing, wherein the target is one of high value. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
  • Online Research & Identity Theft: LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.

Who Are The Other Targets For CEO Fraud?

Don’t let the name fool you, the CEO isn’t always the one a cybercriminal may target. In fact, there are a number of key, high-value targets that make it worth the cybercriminal’s time to go after.

Whether it’s their authority or their access to confidential information, these groups are all at risk for BEC:

  • Financial Staff Members: While the finance department is especially vulnerable in organizations that regularly engage in large wire transfers, smaller businesses’ payroll data is also of high value to cybercriminals.
  • Human Resources: Similar to finance, HR is a key target for the data they store on employees, including SSN, birthdates, medical data and more, all of which are of high value to cybercriminals.
  • C-Level Executives: You don’t have to be the CEO to be a high-level target. CFOs have access to financial data, CTOs have access to login info, and everyone at this level has the authority to execute wire transfers and make large purchases.
  • IT Management: The IT manager and IT personnel with authority over access controls, password management, and email accounts are also high-value targets.

How Can You Stop CEO Fraud?

1. Know Your Targets
By noting the above listed key targets, you can examine the role they play in cybersecurity, and how their access and authority is being protected:

  • Review social/public profiles for job duties/descriptions, hierarchal information, out of office detail, or any other sensitive corporate data.
  • Identify any publicly available email addresses and lists of connections.

2. Defend Your Organization
Implementing the right range of cybersecurity solutions can help to protect common points of penetration for cybercriminals:

  • Email filtering
  • Two-factor authentication
  • Automated password and user ID policy enforcement
  • Comprehensive access and password management
  • Whitelist or blacklist external traffic
  • Patch/update all IT and security systems
  • Manage access and permission levels for all employees.
  • Review existing technical controls and take action to plug any gaps.

3. Implement A Robust Security Policy
You need to dictate how members of the organization, top to bottom, contribute to your cybersecurity. Everyone with access to your IT environment should follow these best practices:

  • Don’t open attachments or click on links from an unknown source.
  • Don’t use USB drives on office computers.
  • Follow a Password Management Policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.).
  • Participate in mandatory security training.
  • Learn to recognize phishing emails.

4. Plan Ahead To Mitigate Cyber-Risk
You need to develop a comprehensive cyber-incident response plan for your organization. Make sure to test it regularly, and update it to address any shortfalls. Make sure to implement your plan properly – it won’t work if your staff doesn’t know about it, and can’t participate in it:

  • Executive leadership must be well informed about the current level of risk and its potential business impact.
  • Management must know the volume of cyber incidents detected each week and of what type.
  • Understand what information you need to protect. Identify the corporate “crown jewels,” how to protect them and who has access.
  • A policy should be established as to thresholds and types of incidents that require reporting to management.
  • Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
  • Consider obtaining comprehensive cybersecurity insurance that covers various types of data breaches.

5. Test Against Phishing
Share these tips with your employees to ensure they know how to spot a phishing attempt:

  • Generic content: Cybercriminals will send a large batch of emails. Look for examples like “Dear valued customer.”
  • “From” Email Address: The first part of the email address may be legitimate, but the last part might be off by a letter or may include a number in the usual domain.
  • Urgency: “You’ve won! Click here to redeem a prize,” or “We have your browser history pay now or we are telling your boss.”
  • Check Links: Mouse over the link and see if the link’s destination matches where the email implies you will be taken.
  • Misspellings, Incorrect Grammar, & Odd Phrasing: This might be a deliberate attempt to try and bypass spam filters.
  • Don’t Click Attachments: Virus containing attachments might have an intriguing message encouraging you to open them such as “Here is the Schedule I promised.”

The bottom line is that everyone in your organization, top to bottom, it a potential target. Some, like your CEO, are simply higher value. Make sure everyone is following cybersecurity best practices and is protected.

Like this article? Check out the following blogs to learn more:

Consider Dolphin Imaging For Your Dental Practice In Northern Virginia

Part 1: Think It’s Painful To Switch IT Companies? Questions and Answers

Are You Missing a Valuable Resource for Stellar Patient Experiences?