To quote one of the greatest minds, Albert Einstein, “Blind belief in authority is the greatest enemy of truth.” When the big boss says “Jump!” many employees ask, “How high?” and this behavior associated with blind belief is exactly why a new email scam known as CEO fraud is so effective at fooling its victims.
CEO fraud is a skilled email hoax used by cybercriminals to deceive employees into sending money or divulging critical company information. This cybercrime, also known as Business Email Compromise (BEC), employs spoofed or compromised email accounts to deceive email recipients into taking action.
According to statistics collected by the IC3 from October 2013 to May 2018, approximately 78617 international and domestic CEO fraud incidents were reported, which has resulted in the loss of 13 billion dollars. It is a worldwide cybercrime that knows no boundaries and can affect companies of all sizes and sorts. Amongst the 3 common CEO fraud attack methods are phishing, spear phishing, and executive whaling.
This psychologically manipulative process of social engineering involves gaining the trust of the recipient of an email. The fraudsters behind CEO fraud know that most individuals do not pay attention to email addresses or notice small spelling changes. Persistency of the hacker is a primary factor of “success” from their end.
The hackers only need to get lucky occasionally, but the employees need to be lucky a hundred percent of the time. They are looking for that one vulnerable employee, machine, or an area. The flow follows phases; it picks the victim, manipulates the employee, regulates the reaction and behavior of the employee through adding some necessity of urgency for action, and finally, the impact.
It is also noteworthy having a look at a real-life case of CEO fraud. In the summer of 2014, the Scoular Company, a grain business behemoth, fell victim to a CEO fraud scheme. The Corporate Controller at Scoular received an email pretending to be from the company’s CEO. Scoular was buying a company in China, and they wanted to wire money to a bank in China, according to the email. The fake email directed the Controller to Scoular’s accounting firm for further instructions. Unfortunately, despite the fact that the accounting business exists, the hackers had forged some genuine-looking contact information, which was enough to persuade the Controller that the transaction was legal. The Scoular Company lost $17.2 million as a result of the fraud.
This unveils one of the most important/common cause, similar looking email domains. Researchers say approximately 50 percent of the email servers are not set up correctly. In addition, there are about 10 million Exchange Servers (one of many other types of servers), meaning the number of targets is incredibly high. This data portrays the easy accessibility one has using which they can initiate a phishing of this sort.
Given this global phenomenon of wrongdoing, the obvious question to act on is how to counteract. Efficiency lies in following simple steps:
Hover over the email address to verify who the sender is.
Have clear policies in place.
Run regular cybercrime awareness workshops.
Next, dive deeper for further prevention.
It should be ensured that employees are properly educated and trained on the various categories of CEO fraud strategies. They may rapidly discover CEO fraud, social engineering, and phishing hazards by using phishing simulation tools.
Businesses should consider adopting restrictive network access policies to limit the usage of personal devices and limit information sharing with those outside the company’s network. The operating systems, applications, internal software solutions, and network tools should be assuredly secure and up to date.
System of checks and balances should be implemented, meaning large wire transfers should not be initiated without face to face or a telephone conversation confirming whether the money should be sent out from the company right away or not. Having a detailed configuration of anti-spam is vital as well.
To sum up, there is no other alternative than to be educated about the fraud and the possible repercussions that could result from it. If there is something that looks slightly off, eliminate the blind belief. Just pick up the phone and call, even if it is calling the CEO.