Picture this. You log into your work emails and see an urgent email from your CEO. In the email, they claim to be in meetings all day and that they need you to urgently settle a time-sensitive invoice otherwise a deal will be lost. What do you do?
Well, hopefully your answer is ‘nothing until further investigation’. This situation has all the markers of the latest cybercriminal trend – CEO Fraud. To prevent this kind of situation happening in your workplace, let’s shed some light on what CEO Fraud is and what you can do to prevent it from doing any damage to your organisation.
What is CEO Fraud?
CEO Fraud is a scam where a criminal pretends to be a senior manager – often the CEO – in order to persuade an unsuspecting employee to do something for them. This is usually to make a payment or send over sensitive information. In law enforcement circles, this scam is known as Business Email Compromise (BEC) and is a growing problem across the world. In the UK alone, there were 603 cases of CEO Fraud in 2018 which led to losses of nearly £15m for the businesses targetted.
How does CEO Fraud work?
CEO Fraud is first and foremost an email scam, but it often relies on something a lot less technical to work – human nature. It works on the idea that many employees would be happy to help fix an important problem, especially if they’d been approached personally by senior management and there is no time to waste. Fraudsters exploit this for their gain in this scam, which can take on a couple of different methods.
Phishing emails
A phishing email is sent with the intention to ‘fish’ out sensitive information. A phishing email scam works on the idea of strength in numbers – it sends out legitimate-looking emails to as many users as possible, hoping that the scam will reach and work on at least some of them.
Spear phishing emails
Spear phishing is a little different. Here, the scammer has done their homework and may have extracted personal information to con a smaller number of users. They might know your name and address you specifically, and will often sign off the email using the name and personal information of your CEO. These scam emails are much easier to fall for as you may not question the validity of the email as much if they contain all that personal information.
Other common CEO Fraud attack scenarios
Fortunately, fraudsters are somewhat predictable when it comes to their CEO scamming methods. To stay vigilant to CEO Fraud, be especially critical if you receive an email at work regarding any of the following situations.
A request for funds to be sent to an alternative foreign account
This is particularly used to exploit long-standing relationships with foreign suppliers. In this kind of scam, the scammer may ask for funds to be sent to a different account than usual.
A fake invoice requesting funds be sent to different accounts
In this kind of scam, scammers can take over a legitimate company email address and send out fake invoices to suppliers requesting money be sent to alternative accounts.
An email from a lawyer or attorney you’ve never dealt with before
In this scam, fraudsters pretend to be lawyers dealing with time-sensitive and confidential matters. They’ll often request that you don’t tell anyone else what they’ve asked you to do.
A request for personally-identifying information be sent over
In this case, scammers will often request tax or wage information under the guise that it is needed urgently by a senior manager in HR, for example.
Preventing CEO Fraud
At a company-wide level, there are steps that can be taken to prevent CEO Fraud. Companies should be cautious of how much information is revealed about them on their website and social media and even consider removing information about suppliers and partners on the website. Staff training and regular audits of accounts are also recommended.
How can you spot and stop CEO Fraud?
There are plenty of things you can do at an individual level to keep yourself safe from CEO Fraud. To get you started, why not try employing these checks immediately.
- Don’t assume someone knowing personal information equals legitimate. Many scammers will do enough research on you and the company to know personal information about you, especially if you have a presence on social media.
- Always check the sender’s email address. It’s rare that a scammer will be able to take over your CEO’s actual email address. Instead, it’s likely they’ll have made their own random email address that may include your CEO’s name in it. Watch out for emails sent from free email providers such as Gmail or Hotmail claiming to be CEOs.
- Get a second opinion. Always independently verify new or amended payment requests. This includes requests from senior management – if you aren’t sure an email is legitimate or not, don’t be afraid to pick up the phone and double check.
- Always take time to investigate. Don’t be pressured by urgent requests. Making all these checks every time, even if the email appears to be legitimate, is the easiest way for you to not play any part in CEO Fraud happening in your organisation.
While there’s a lot companies can and should do to address CEO Fraud at a higher level, we can all do our part to be more aware of it and stay vigilant.
About EC-MSP, your IT support partner
EC-MSP are one of the most trusted IT support providers in London. If you would like more help advice and support with technology for your business, contact us today to see how we can help.