CEO Fraud is the catchy name for frauds that are committed by a criminal, that pretends to be the company CEO or another high-level member of staff. The internet is awash with guides about CEO Fraud, but few seem to concentrate on the part most businesses want – cutting it out altogether. I’d like to look at the similarities within this attack vector, by simplifying the attack and emerging from the generic advice with some useful tips that help to cut out this attack from your businesses once and for all.
The commonality between almost all CEO fraud is the fact the attacker has researched the structure of the business and has deduced who the best people are to impersonate. Almost all CEO fraud is conducted by criminals with experience in scams. Often highly skilled, the fraudsters can rely heavily on technology such as advanced phishing emails and SMS Spoofing that make their correspondence blend into the normal communications between your CEO and other members of staff. By far the most characteristic trait of CEO Fraud is the obscene amount of self-confidence and tenacity the attacker will have – we feel this is why they are so effective.
Over the years we’ve seen scams stopped in their tracks because a finance officer noticed the boss was being polite – which was exceptional and out of character! Other criminals have been stopped when the business discovers the new bank details, provided by a supplier, were in a foreign country the business had no dealings with. The lucky escapes are few and far between though!
Two minds are better than one! Sharing the responsibility for these errors is a business first step. No one person in a business should have the authority to transfer money to another entity independently. Place barriers in processes to lessen the chances that one person could ever make the mistake. If one person makes a mistake rarely is this a mistake – this is a serious lack of oversight from the business. If two or more people make the same mistake, only then is it a true mistake.
If your boss asks you to perform an action like transfer money or change payee details – verification is vital! No one in charge is going to mind a quick phone call prior to a transfer. We’ve dealt with the aftermath of CEO fraud and the company head honcho is always upset and annoyed that they were so close to stopping a scam – not one I’ve talked too would be annoyed at a staff member seeking some validation. It’s your chance to be a hero!
Basic Social Engineering
CEO Fraud uses simple social engineering techniques to manipulate employees. This isn’t just some fancy phishing! You’ll often see SMS messages from the boss and missed calls to make the situation more realistic:
Missed call from boss at 4:59pm – caller’s number was spoofed and was from the attacker, not the boss.
SMS Message from the boss at 5:01pm – “Sorry was just ringing about that invoice, can you pay it before you go, I forgot” the SMS message was spoofed and from the attacker, not your bosses phone.
Email from the boss 5:03pm – “hey, invoice for you attached as per text message” Sent from the attacker and spoofed your bosses email address.
The above situation takes advantage of three different social engineering techniques but they are bought together in a very natural way. This is often the case when we look at CEO Fraud – Remember these attackers are skilled and with that comes the natural flow that tricks people convincingly.
Don’t Keep Quiet
If you get that sinking feeling, before or after you are targeted by a scam, always speak up! There is a small window of time that a report to the right people could stop an attack in its tracks. No reputable company will seek to discipline an employee in this situation! If you do pick up a name for yourself as ‘that person’ who always annoyingly validates everything it’s more likely you’ll see a promotion than be dumped at the job centre with your P45.
It Will Happen To You!
We are a relatively small business and we still get rather sophisticated attempts to transfer money. I’d hazard a guess that any business in the U.K. is in the sights of malicious social engineers. As humans we learn to live with risk – we even try hard to pretend it doesn’t effect us. This all means less worry and less to fear and makes us happier! But there will be no happiness that stems from complacency in this area. It’s better to plan for the worst!