Firms have lost over $2 billion in the past three years to ‘CEO fraud attacks’, and every year more companies are targeted. The FBI warns of a dramatic spike in attacks, a 270 percent increase in identified victims and exposed loss since January 2015. While the FBI’s Internet Security force, the IC3, have received complaints from victims in every U.S. state, this global problem has seen reported attacks in at least 79 countries.
CEO scams or CEO fraud is a subset of ‘Business Email Compromise’ (BEC), in which legitimate business email accounts are comprised through hacking or social engineering to conduct unauthorized fund transfers. CEO fraud in particular involves compromising or impersonating emails from high ranking company executives. Most victims report requests to transfer funds via wire transfers, but cheque requests have also been reported – the fraudster takes care to use the business’s regular fund transfer procedures.
Businesses that work with foreign suppliers and/or regularly perform wire transfers are most frequently targeted by the scam, but any type or size of business is at risk. Small and medium businesses are less likely to have comprehensive policies in place around fund transfer authorization while larger companies are at risk for the greatest losses due to the higher dollar amounts associated with their transactions.
The first step in CEO email scams involves a fraudster impersonating a high level executive through email. These emails can originate from a genuine executive email account, either from gaining access to that account or faking the ‘From’ field, or by using a lookalike email with a similar or misspelled domain name (For example: CEO@cyberinvestigationservices.co, or CEO@cyberinvestgationservices.com).
Then, an email is sent to a company member who regularly deals with these procedures requesting that funds be transferred – frequently the message refers to the transfer being time-sensitive or confidential. According to the IC3, “the requests for wire transfers are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request”.
Fraudsters targeting businesses in this way research their victims carefully. “Fraudulent e-mails received have coincided with business travel dates for executives whose emails were spoofed,” the IC3 alert warns. “The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive ‘phishing’ e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc).”
Public corporate information such as employee relationships can also be taken from corporate websites, LinkedIn, and social media, while phone calls and emails from fraudulent accountants and attorneys can also be included to make the scam more convincing.
Aaron Higbee, co-founder and chief technology officer of PhishMe, a US security company specialising in educating staff about phishing attacks, suggest that this low-tech yet targeted approach increases the scam’s effectiveness, as it bypasses spam filters and antivirus software. “It doesn’t need attachments carrying malware, it’s just a conversation,” he says. “It’s very low-tech and a big departure from the large, automated malware attacks we’re used to.”
While the technology involved is simple, the social engineering is very effective – it’s much easier for a fraudster to compromise a trusting employee than a corporate bank account. Staff are unlikely to question a normal sounding request from upper management, and the CEO scam emails frequently bring up an urgent, confidential situation to dissuade the employee from properly investigating the procedure.
The average cost of such an attack to a business is between $25 000 and $75 000, but the figures can go much higher. Mattel was scammed of $3 million in 2015, while Ubiquiti networks lost over $40 million. Additionally, funds transfer fraud and computer fraud insurance may not protect businesses – there are currently high profile cases against Federal Insurance, who claimed the Medidata Solutions Inc’s $4.8 million loss in such a scam was not covered, as their policy “only covered hacking, not voluntary transfers of money.”
This is a scam that preys on ignorance, trust, and lack of information. Once informed about how it works, there are a number of things to watch out for and ways to defend from the fraudsters. First, in the case of a fake CEO email, while the ‘From’ email address can be spoofed easily, the ‘Reply To’ field will be different – to send your email back to the attacker. Employees should be vigilant about significant transfers being requested urgently or in a short time frame.
Additionally, the FBI urges businesses to use two-step or more-step authentication for significant transfers – at minimum, check with the executive over the phone over previously used numbers, and not via phone numbers provided in the fraudulent email. Educating your workforce about the dangers and having clear policies in place regarding secure funds transfers are the most effective defense against this scam.
If you have unwittingly been the victim of such a scam, it is vitally important to communicate with your bank immediately to try and stop the transfer. If you believe that you have received an CEO fraud email you can hire professional Cyber Forensic specialist that can help you gather the evidence that can be utilized by law enforcement to catch such criminals.
About the Author: Bruce Anderson is the Co-Founder of Cyber Investigation Services LLC which has customers throughout the world in all major continents. Corporations, Attorneys, Professionals, Celebrities and Govt Agencies have all grown to rely upon their intelligence solutions, consultancy and investigative skills in identifying and tracking down hackers, counterfeiters & grey market sellers, international cyber criminals, as well as providing high level background investigations for high-dollar transactions between worldwide corporate entities.