CEO fraud falls under the umbrella of phishing, but instead of an attacker spoofing a popular website, they spoof the CEO (or another high-level executive) for the targeted corporation. Some CEO fraud includes social engineering, but most attacks are a collection of attacks rather than just a single phishing method. The goal in CEO fraud is to convince an employee to send an attacker money or confidential information such as intellectual property or credentials.
CEO Fraud Statistics
The phishing industry alone is worth billions, and CEO fraud is also a scam with large payouts. The FBI estimates that the Business Email Compromise (BEC) scam is worth $26 billion and continues to grow in popularity. Between 2018 to 2019, the FBI also indicates that there was a 100% increase in BEC scams, including CEO fraud.
Targeted business can be small, medium, or large, but the two top countries used for fraudulent bank transfers are China and Hong Kong. CEO fraud targets businesses in several countries, but the FBI reports targets across 177 countries including the US and UK and banks used in these scams span approximately 140 countries.
Top Attack Methods
Spoofing email addresses and phishing are the two main attack methods in CEO fraud, but social engineering is often incorporated for larger payouts. Reconnaissance using corporate web pages and LinkedIn provides attackers with loads of information about the organisation, employees, executive names and email addresses, and invoicing systems. Usually, the phishing emails target employees in specific departments such as HR or accounts payable.
For example, an attacker will register a domain name with a slight misspelling from the official corporate domain. The attacker then sends an email using the CEO’s name to an accounts payable employee to convince the targeted user to send money to the attacker-controlled bank account. To increase the level of urgency, the attacker might use social engineering to call the targeted employee and pretend to be a representative of the organisation, such as an accountant.
How CEO Fraud Impacts Businesses
A sophisticated attack could cost organisations millions in financial loss. Several organisations have lost millions to CEO fraud and executive whaling. An organisation could lose money from several attacks asking for small payouts, but it’s more common for attackers to trick employees into sending six or seven figure financial transfers.
Financial loss isn’t the only impact. Some attackers targeting HR departments convince employees to send personally identifiable information (PII) to a third party, later used in bank fraud or identity theft. Most compliance regulations require organisations to alert customers after a data breach, so CEO fraud could lead to brand reputation damage and litigation costs. Employees who fall for CEO fraud risk losing their jobs, especially if the targeted victim was another executive.
Common Attack Scenarios
CEO fraud is considered a sophisticated attack, so the first step is to find an organisation. An attacker reads a targeted organisation's site looking for charts and corporate employee structure including names of executives and associated employees. The reconnaissance phase can last several days until the attacker collects enough information to carry out the next steps.
When a target is determined, the next step is to register a domain that looks similar to the target’s official domain name spelling. Once the domain is registered, the attacker creates an email address with the CEO’s name or a high-level executive. An email is sent to the targeted user to initiate contact and instructs the user to send money.
Most employees in HR and finance departments are trained to identify phishing emails, but attackers use convincing methods to convey a sense of urgency from a high-level executive. An employee might notice the misspelled domain name or become a victim and wire transfer money or respond with sensitive information.
CEO Fraud Targets
Attackers have two primary targets for CEO fraud: high-level executives with access to sensitive information, or employees with the authorisation to perform wire transfers. A CFO, CEO, COO, or other high-level executive is typically the target, but any executive with operational authority should be aware of the many ways attackers use phishing and social engineering.
In cybersecurity, targeting an employee close to the intended victim is more effective. Attackers know that high-level executives train to detect threats such as phishing, so they target an employee that can be more easily socially engineered. The employee might have sufficient privileges to wire transfer money, or an attacker can steal the employee’s credentials to then perform privilege escalation on the environment.
How to Recognise Attacks
The biggest trick with any phishing attack is to force a sense of urgency. If a target is given too much time to think about what is happening, the target might know it’s a scam. The attacker will use a spoofed email address or create a legitimate email that looks similar to the official one. With the sense of urgency, the targeted user might miss the many red flags.
No other component works as well as leveraging the targeted user’s fear, which works well when the user thinks it’s the CEO demanding money. The email might not be long or well written, but the sense of urgency causes targeted victims to overlook these issues. They always involve scamming the victim out of money or sensitive information.
How to Report CEO Fraud
If the organisation has an on-staff security team, the first step is to report it to anyone who oversees cybersecurity. Without a dedicated cybersecurity team, the targeted victim can report it to operational staff. The email can be reviewed and future emails blocked from reaching the intended recipient. Operational or cybersecurity staff should alert other employees so that they are aware of the ongoing threat.
If an organisation has persistent problems or sends money to an attacker, the bank should be contacted immediately. In some cases, banks can help the organisation recover all or partial funds. Law enforcement should also be contacted to investigate and for insurance purposes.
High Profile Cases and Results
Both small and large companies are targets for CEO fraud, but larger organisations stand to lose millions from just one successful threat. As an example, the Xoom CFO was the victim of CEO fraud and transferred over $30 million to offshore bank accounts before realising it was a scam. The CFO was eventually forced to resign.
Another San Francisco company, Ubiquiti, was the target of CEO fraud and transferred over $46 million to offshore attacker accounts. In this attack, Ubiquiti was able to work with banks and law enforcement to recover approximately $10 million, but they still suffered a net loss of $30 million from the fraud.
CEO Fraud Prevention Tips
Cybersecurity is a multibillion-dollar industry for attackers, but organisations and their operations staff can take several steps to prevent it:
- Audit high-risk users (e.g., finance and HR staff) and train them to identify attacks and report them.
- Implement access and cybersecurity controls that will help stop malicious emails (e.g., email filters and DMARC).
- Use security policies to block emails and wire transfers based on a simple email message.
- Incorporate financial and cybersecurity standards to catch an ongoing attack.
- Plan for risk and continually train new and existing employees.
- Send simulated social engineering and phishing emails to train employees.
- Stay aware and updated to the typical red flags seen in CEO fraud.
How Proofpoint Can Help
Knowing how to protect from CEO fraud is a full-time job, but Proofpoint can help any organisation protect from the phishing and social engineering involved in these attacks. Here are a few ways Proofpoint can help.
Advanced Business Email Compromise: Integrated machine learning and artificial intelligence detects and stops email fraud more accurately than relying on standard email security. Proofpoint’s email security also adds DMARC to your incoming and outgoing email technology. The platform gives administrators complete visibility across the organisation's email so that they can better detect and review threats.
Security Awareness Training: Human errors are responsible for data breaches from phishing attacks, but you can train employees to avoid being the next victim. Proofpoint uses real-world examples to train employees and help the organisation reduce risk and identify potential training opportunities on staff.
Email Security and Protection: Malicious messages and malware are also email threats, but Proofpoint’s email security will detect and stop these threats using advanced machine learning technology named NexusAI. Proofpoint email security analyses message headers, sender IP and message body text to identify and stop malicious messages.
What Is Business Email Compromise (BEC)?
Learn about Business Email Compromise (BEC), how it works, and different types of threats. Proofpoint shares how to identify and protect against a BEC scam.
Microsoft Misses Business Email Compromise (Email Fraud) Attacks
Business Email Compromise (BEC) is one of the most damaging threats to business. Discover the attacks missed by Microsoft and how they could have been prevented.
White Paper: Top 10 Business Email Compromise Scams
We rounded up the 10 biggest, boldest, and most brazen Business Email Compromise (BEC) scams. Download your copy of the 2022 edition now.
Analyst Report: The Ponemon Cost of Phishing Study
The financial effects of phishing attacks have soared as organisations shift to remote and hybrid work. Read the 2021 Ponemon Cost of Phishing Study to learn more.
Solution Brief: Five Steps to Combat Business Email Compromise
To combat the ever-evolving email fraud threats, you need a holistic solution that addresses all BEC actors’ tactics by encompassing multiple security controls and user awareness.