What Is CEO Fraud?

CEO fraud falls under the umbrella of phishing, but instead of an attacker spoofing a popular website, they spoof the CEO (or another high-level executive) for the targeted corporation. Some CEO fraud includes social engineering, but most attacks are a collection of attacks rather than just a single phishing method. The goal of CEO fraud is to convince an employee to send an attacker money or confidential information such as intellectual property or credentials.

The phishing industry alone is worth billions, and CEO fraud is also a scam with large payouts. The FBI estimates that the Business Email Compromise (BEC) scam is worth $26 billion and continues to grow in popularity. Between 2018 to 2019, the FBI also indicates that there was a 100% increase in BEC scams, including CEO fraud.

Targeted businesses can be small, medium, or large, but the two top countries used for fraudulent bank transfers are China and Hong Kong. CEO fraud targets businesses in several countries, but the FBI reports targets across 177 countries including the US and UK and banks used in these scams that span approximately 140 countries.

Spoofing email addresses and phishing are the two main attack methods in CEO fraud, but social engineering is often incorporated for larger payouts. Reconnaissance using corporate web pages and LinkedIn provides attackers with loads of information about the organisation, employees, executive names and email addresses, and invoicing systems. Usually, the phishing emails target employees in specific departments such as HR or accounts payable.

For example, an attacker will register a domain name with a slight misspelling from the official corporate domain. The attacker then sends an email using the CEO’s name to an accounts payable employee to convince the targeted user to send money to the attacker-controlled bank account. To increase the level of urgency, the attacker might use social engineering to call the targeted employee and pretend to be a representative of the organisation, such as an accountant.

A sophisticated attack could cost organisations millions in financial loss. Several organisations have lost millions to CEO fraud and executive whaling. An organisation could lose money from several attacks asking for small payouts, but it’s more common for attackers to trick employees into sending six or seven figure financial transfers.

Financial loss isn’t the only impact. Some attackers targeting HR departments convince employees to send personally identifiable information (PII) to a third party, later used in bank fraud or identity theft. Most compliance regulations require organisations to alert customers after a data breach, so CEO fraud could lead to brand reputation damage and litigation costs. Employees who fall for CEO fraud risk losing their jobs, especially if the targeted victim was another executive.

CEO phishing fraud is considered a sophisticated attack, so the first step is to find an organisation. An attacker reads a targeted organisation's site looking for charts and corporate employee structure including names of executives and associated employees. The reconnaissance phase can last several days until the attacker collects enough information to carry out the next steps.

When a target is determined, the next step is to register a domain that looks similar to the target’s official domain name spelling. Once the domain is registered, the attacker creates an email address with the CEO’s name or a high-level executive. An email is sent to the targeted user to initiate contact and instructs the user to send money.

Most employees in HR and finance departments are trained to identify phishing emails, but attackers use convincing methods to convey a sense of urgency from a high-level executive. An employee might notice the misspelled domain name, become a victim, wire transfer money, or respond with sensitive information.

Attackers have two primary targets for CEO fraud: high-level executives with access to sensitive information, or employees with the authorisation to perform wire transfers. A CFO, CEO, COO, or other high-level executive is typically the target, but any executive with operational authority should be aware of the many ways attackers use phishing and social engineering.

In cybersecurity, targeting an employee close to the intended victim is more effective. Attackers know that high-level executives train to detect threats such as phishing, so they target an employee that can be more easily socially engineered. The employee might have sufficient privileges to wire transfer money, or an attacker can steal the employee’s credentials to then perform privilege escalation on the environment.

The biggest trick with any phishing attack is to force a sense of urgency. If a target is given too much time to think about what is happening, the target might know it’s a scam. The attacker will use a spoofed email address or create a legitimate email that looks similar to the official one. With a sense of urgency, the targeted user might miss the many red flags.

No other component works as well as leveraging the targeted user’s fear, which works well when the user thinks it’s the CEO demanding money. The email might not be long or well written, but the sense of urgency causes targeted victims to overlook these issues. They always involve scamming the victim out of money or sensitive information.

If the organisation has an on-staff security team, the first step is to report it to anyone who oversees cybersecurity. Without a dedicated cybersecurity team, the targeted victim can report it to operational staff. The email can be reviewed and future emails blocked from reaching the intended recipient. Operational or cybersecurity staff should alert other employees so that they are aware of the ongoing threat.

If an organisation has persistent problems or sends money to an attacker, the bank should be contacted immediately. In some cases, banks can help the organisation recover all or partial funds. Law enforcement should also be contacted to investigate and for insurance purposes.

Both small and large companies are targets for CEO fraud, but larger organisations stand to lose millions from just one successful threat. As an example, the Xoom CFO was the victim of CEO fraud and transferred over $30 million to offshore bank accounts before realising it was a scam. The CFO was eventually forced to resign.

Another San Francisco company, Ubiquiti, was the target of CEO fraud and transferred over $46 million to offshore attacker accounts. In this attack, Ubiquiti was able to work with banks and law enforcement to recover approximately $10 million, but they still suffered a net loss of $30 million from the fraud.

Knowing how to protect from CEO fraud is a full-time job, but Proofpoint can help any organisation protect from the phishing and social engineering involved in these attacks. Here are a few ways Proofpoint can help.

• Advanced Business Email Compromise: Integrated machine learning and artificial intelligence detects and stops email fraud more accurately than relying on standard email security. Proofpoint’s email security also adds DMARC to your incoming and outgoing email technology. The platform gives administrators complete visibility across the organisation's email so that they can better detect and review threats.
• Security Awareness Training: Human errors are responsible for data breaches from phishing attacks, but you can train employees to avoid being the next victim. Proofpoint uses real-world examples to train employees and help the organisation reduce risk and identify potential training opportunities on staff.
• Email Security and Protection: Malicious messages and malware are also email threats, but Proofpoint’s email security will detect and stop these threats using advanced machine learning technology named NexusAI. Proofpoint email security analyses message headers, sender IP and message body text to identify and stop malicious messages.