CEO fraud is the latest in a new generation of cyber-attacks involving impersonation of senior company officials, using social engineering to coerce employees to transfer company money under the auspice of a legitimate business purpose. It might sound unbelievable, but a recent FBI report states attackers stole $215m in this way in the 14 months up to Jan 2015.
CEO fraud hit the headlines recently when networking vendor Ubiquiti suffered a $46.7 million cyber-heist. Unfortunately, these scams are becoming increasingly common; I personally know of several organisations that have been on the receiving end of an attack.
The attacks rely on one of two techniques to initiate this fraud:
Compromising a senior employee’s email account
Registering a domain very similar to the corporate domain (typosquatting) and impersonating a senior employee
Although the latter may not sound as effective, it is working, after all, it’s easy to misread Sotfcat for Softcat and this is what perpetrators count on. The attackers are also tapping into social networks to tailor the emails with increasing sophistication. This level of precision is a far cry from the advanced fee fraud scams, involving foreign dignitaries and lottery winners that became so commonplace a few years ago and are perhaps the origins of this type of attack.
With this in mind, it’s prudent that organisations consider their own stance in tackling this challenge. Unlike some cyber threats where protection can be achieved almost exclusively through technological measures, being better prepared to counter CEO fraud is much more about human intervention. Here’s three steps that will better prepare you for repelling this type of attack.
1. Security awareness training
Make sure your people are aware of the threat and are cognisant of it in their daily work. This is especially important for staff who have authorisation or responsibility for transferring money.
2. Tighten up processes
Ensure your processes for transferring money are as robust as possible. If viable,introduce some form of authentication such as a phone call to the requester, when a request to transfer funds is made via email. Do not rely solely on electronic communication for financial transactions of this kind.
3. Check who owns similar domains
Without wishing to scaremonger, these attacks are real and happening now. As such, address the issue as soon as possible. Protecting yourself requires almost no investment in technology, just a heightened awareness for what’s possible. Prevention is always better than cure, and those who have suffered at the hands of CEO fraud will likely only recover a fraction of their losses.