CEO Fraud

CEO Fraud

Every week during National Cyber Security Awareness Month we will be sharing SANS blog to help keep you, your company and your family safe online.

What Is CEO Fraud?

Cyber criminals are sneaky—they are constantly coming up with new ways to get what they want. One of their most effective methods is to target people like you. While cyber attackers have learned that unaware people are the weakest link in any organization, they have forgotten that knowledgeable people like OUCH! readers can be an organization’s best defense.

Cyber criminals have developed a new attack called CEO Fraud, also known as Business Email Compromise (BEC). In these attacks, a cyber criminal pretends to be a CEO or other senior executive from your organization. The criminals send an email to staff members like yourself that try to trick you into doing something you should not do. These types of attacks are extremely effective because the cyber criminals do their research. They search your organization’s website for information, such as where it is located, who your executives are, and other organizations you work with. The cyber criminals then learn everything they can about your coworkers on sites like LinkedIn, Facebook, or Twitter. Once they know your organization’s structure, they begin to research and target speci c employees. They pick their targets based on their speci c goals. If the cyber criminals are looking for money, they may target staff in the accounts payable department. If they are looking for tax information, they may target human resources. If they want access to database servers, they could target someone in IT.

Once they determine what they want and whom they will target, they begin crafting their attack. Most often, they use spear phishing. Phishing is when an attacker sends an email to millions of people with the goal of tricking them into doing something, for example, opening an infected attachment or visiting a malicious website. Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a very small, select number of people. These spear phishing emails are extremely realistic looking and hard to detect. They often appear to come from someone you know or work with, such as a fellow employee or perhaps even your boss. The emails may use the same jargon your coworkers use; they may use your organization’s logo or even the of cial signature of an executive. These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone. The cyber criminal’s goal is to rush you into making a mistake. Here are three common scenarios:

  • Wire Transfer: A cyber criminal is after money.
    This means they research and learn who works
    in accounts payable or the team that handles
    your organization’s nances. The criminals then
    craft and send an email pretending to be the targets’ boss; the email tells them there is an emergency and money has to be transferred right away to a certain account.
  • Tax Fraud: Cyber criminals want to steal information about your coworkers so they can impersonate employees for tax fraud. They research your organization and determine who handles employee information, for example, someone in human resources. From there, the cyber criminals send fake emails pretending to be a senior executive or someone from legal, demanding certain documents be provided immediately.
  • Attorney Impersonation: Not all CEO Fraud attacks involve just email; other methods like the telephone can be used. In this scenario, criminals start by emailing you pretending to be a senior leader, advising you that an attorney will call about an urgent matter. The criminal then calls you pretending to be the attorney. The criminal creates a tremendous sense of urgency as they talk about time-sensitive, con dential matters. This sense of urgency tricks you into acting right away.

Protecting Yourself

So what can you do to protect yourself and your organization? Common sense is your best defense. If you receive a message from your boss or a colleague and it does not sound or feel right, it may be an attack. Clues can include a tremendous sense of urgency, a signature that does not seem right, a certain tone you would never expect, or the name used in the email being different from what the person actually calls you. The attacker may even use an email address or phone number you have never seen before, or an email address that is similar to your coworker’s or boss’s email. When in doubt, call the person at a trusted phone number or meet them in person (don’t reply via email) and con rm if they sent the email. Never bypass security policies or procedures. Your organization may have policies that de ne proper procedures for authorizing the transfer of funds or the release of con dential information. Requests that attempt to bypass those policies, regardless of their apparent source, should be considered suspicious and be veri ed before any action is taken. If you receive such a request and are not sure what to do, contact your supervisor, the help desk, or information security team right away.

Guest Editor

Angela Pappas is a director of information security training and awareness at Thomson Reuters. In her role, Angela is responsible for the ambassador program, eLearning, and educating employees about topics that pose a signi cant risk.