Cybercriminals Targeting Your Leadership
Your CEO is a high value target for cybercriminals. Between the authority they have to execute financial transfers and the access they have to sensitive data, compromising an unsuspecting C-Level executive, or successfully impersonating them, is the top goal for most cybercriminals. Do you know what it takes to protect your leadership and your organization?
Back in 2016, the FBI started spreading the word about “CEO Fraud”, a cybercrime vector in which the criminal impersonates a C-level executive over email to trick the recipient into divulging crucial information or processing a massive e-transfer of company money.
Since then, CEO Fraud has become one of the most popular ways for cybercriminals to make money – in 2017, a Canadian University paid out more than $11 million due to CEO Fraud.
Do you have that kind of money to spare because your leadership, and staff as a whole, may not be aware of the latest cybercrime trends?
That’s why you need to understand what it is, how it works, and how to protect against it. In this blog, we’ll answer the following questions:
1. What Is CEO Fraud?
2. How Does CEO Fraud Work?
- Spear Phishing
- Executive Whaling
- Social Engineering
3. Do Cybercriminals Only Target CEOs?
- Finance Department
- Human Resources
- C-Level Executives
- IT Management
4. How Can You Prevent CEO Fraud?
What Is CEO Fraud?
CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool employees into executing unauthorized wire transfers or sending them confidential tax information. It takes aim at personally identifiable information, rather than merely tricking accounting staff into scheduling fraudulent wire transfers.
CEO Fraud is a form of Business Email Compromise (BEC) where a cybercriminal impersonates a high-level executive (often the CEO). Once they convince the recipient of the email (employee, customer or vendor) that they are legitimate, they then attempt to get them to transfer funds or confidential information. BEC attacks are also called whaling or man-in-the-email. They are a way of tricking employees into turning large amounts of money over to cyber attackers.
How Does CEO Fraud Work?
- Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
- Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
- Executive Whaling: The bad guys target top executives and administrators, typically to siphon off money from accounts or steal confidential data.
- Social Engineering: LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
Do Cybercriminals Only Target CEOs?
Despite the name, it isn’t just the CEO that should be worried about this kind of scam. There are four other groups of employees who are considered valuable targets given their roles and access to funds and confidential information.
- Finance Department: The finance department is especially vulnerable in companies that regularly engage in large wire transfers.
- Human Resources: HR represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organization, manages the employee database and is in charge of recruitment.
- C-Level Executives: Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority.
- IT Management: The IT manager and IT personnel with authority over access controls, password management, and email accounts are also high-value targets.
How Can You Prevent CEO Fraud?
1. Know Your Targets
These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas.
- Review social/public profiles for job duties/descriptions, hierarchal information, out of office detail, or any other sensitive corporate data.
- Identify any publicly available email addresses and lists of connections.
2. Defend Your Organization
- Email filtering
- Two-factor authentication
- Automated password and user ID policy enforcement
- Comprehensive access and password management
- Whitelist or blacklist external traffic
- Patch/update all IT and security systems
- Manage access and permission levels for all employees.
- Review existing technical controls and take action to plug any gaps.
3. Implement A Robust Security Policy
Every organization should set a security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:
- Not opening attachments or clicking on links from an unknown source.
- Not using USB drives on office computers.
- A Password Management Policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.).
- Required security training for all employees.
- A review of policies on Wi-Fi access. Include contractors and partners as part of this if they need wireless access when onsite.
4. Set And Follow Best Practices
IT should have measures in place to:
- Block sites that are known to spread ransomware.
- Keep software patches and virus signature files up-to-date.
- Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines.
- Conduct regular penetration tests on Wi-Fi and other networks to see just how easy it is to gain entry.
- Utilize Domain Spoof Protection
- Create intrusion detection system rules that flag emails with extensions that are similar to company emails.
5. Plan Ahead To Mitigate Cyber-Risk
- Develop a comprehensive cyber-incident response plan and test it regularly. Augment the plan based on results.
- Executive leadership must be well informed about the current level of risk and its potential business impact.
- Management must know the volume of cyber incidents detected each week and of what type.
- Understand what information you need to protect. Identify the corporate “crown jewels,” how to protect them and who has access.
- A policy should be established as to thresholds and types of incidents that require reporting to management.
- Cyber-risk MUST be added to existing risk management and governance processes.
- Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
- Consider obtaining comprehensive cybersecurity insurance that covers various types of data breaches.
6. Have Your Personnel Contribute To Cybersecurity
No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger, so start here:
- Train users on the basics of cyber and email security.
- Train users on how to identify and deal with phishing attacks with New-School Security Awareness Training.
- Implement a reporting system for suspected phishing emails.
- Continue security training regularly to keep it top of mind.
- Frequently phish your users to keep awareness in mind.
7. Test Against Phishing
- Run an initial phishing simulation campaign to establish a baseline percentage of which users are Phish-prone.
- Continue simulated phishing attacks at least once a month (twice is better).
- Once users understand that they will be tested on a regular basis and that there are repercussions for repeated failures, behavior changes; they develop a less trusting attitude and get much better at spotting a scam email.
- Randomize email content and the times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others.
8. Keep An Eye Out For Warning Signs
Security Awareness Training should include teaching people to look for red flags. Here are the most common things to watch out for:
- Awkward wording and misspellings
- Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
- Spoofed email addresses and URLs that are very close to actual corporate addresses, but are only slightly different
- Sudden urgency or time-sensitive issues
- Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information,” which are often used according to the FBI.
Like this article? Check out the following blogs to learn more: