If it seems like you’re constantly hearing about cybercrime these days, there’s a reason for that. Globally, reports of cyberattack instances increased by a staggering 125% in 2021, a trend that shows no sign of slowing.
As businesses and consumers turn their attention to cybercrime and protective measures, enterprising cybercriminals continue to fine-tune their approach to exploiting vulnerabilities. In fact, cybercrime is on track to become the world’s third-largest economy.
Staying ahead of bad actors means remaining vigilant not only to existing threats but to new attacks as they’re developed. Particularly worrisome are those who exploit one’s trust and gain access to privileged information. As such, CEO fraud is running rampant in 2022.
According to the FBI’s Internet Crime Complaint Center (IC3) 2021 Report, CEO fraud is the highest-grossing type of cyberattack. Also known as Business Email Compromise (BEC), CEO fraud preys on email recipients by impersonating communication from C-level executives. Through these spoofed emails, criminals gain access to information, or benefit from well-intentioned lower-level employees performing tasks on behalf of their superior.
Criminals posing as a member of the C-suite endeavor to trick employees into a variety of functions, including facilitating wire transfers, amending an invoice payment address, providing bank or payroll information, making purchases of gift cards and other transferrable instruments, or otherwise disclosing sensitive information related to the company or individuals.
The risk of CEO fraud is high, particularly in an era where communications and requests are sent through digital means without person-to-person contact. Curbing this rampant security risk requires ongoing education and communication with end users about identifying these nefarious attempts.
To remain vigilant and mitigate risk, it’s crucial to understand the primary techniques and methods of CEO fraud to look out for.
The risks of CEO fraud through phishing attacks are twofold. Criminals can infiltrate organizational systems by successfully phishing information from CEOs themselves. This approach cuts out the middle man, so to speak, by obtaining information from C-level logins and access points.
Unfortunately, the risk doesn’t stop there. Phishing attacks can also be used against employees throughout the organization. By either using true C-level credentials to make contact with employees or impersonating CEOs to make requests for information, cybercriminals can trick employees into making fund transfers or providing privileged information.
Like phishing with extra patience, spear phishing takes a bit more of a time investment for cybercriminals. Spear fishing requires a bad actor to research a target and craft an email containing specific information to gain trust. By using the information to imitate another person or reference specific projects or events, criminals can trick their target into supplying details that can be used to commit crimes.
While spear fishing targets lower-level employees, executive whaling goes after the “big fish”, that is, C-level executives, specifically. Executive Assistants are also frequent targets, given their proximity to organization heads, and the ability to access information. Executive whaling resembles spear fishing, in that attackers conduct extensive research before making contact via email.
When con artists want to gain trust, social engineering is a chosen approach. Through personalized phone calls or text messages, bad actors use conversations to gain trust, then access to privileged information or to convince recipients to wire large sums of money.
While organizations may be tempted to build protective measures for the C-suite, this is not a comprehensive approach. Many frauds involve employees outside of the executive circle or financial roles.
Whether the explicit target, or a step to reaching them, employees throughout the organization are potential victims. It’s crucial to maintain cyber hygiene by educating and protecting departments that hold a variety of functions, including:
- Human Resources members have access to employee databases and sensitive information that can be used by attackers to trick their targets.
- IT Department personnel have authority over passwords and access control, making their credentials particularly valuable.
- Finance Department members are at risk in companies whose policies require only an email to authorize the transfer or release of funds.
- C-suite Executives are high-value targets for bad actors. As they hold financial authority, spoofing messages from these team members or collecting login credentials avails access to various information and actions, including wire transfers.
Education is the first step to mitigating risk and protecting your organization. While educating end-users to be aware of threats lowers the incidents perpetrated through human error, there is more you can do to protect your data.
- Ensure that you have strict guidelines for authorizing transactions, including segregation of duties.
- Limit the information shared on company websites, and other social media to curb the use of personal info as leverage for fraudulent requests.
- Run periodic penetration testing to gain a real-world understanding of risk profiles.
- Mandate two-factor authentication (2FA) for end users, particularly those in the above risk groups and departments.
- Enforce and regularly review zero trust policies.
- Register multiple domains to maintain control of any similar addresses that may be easily confused for your own.
The risk for CEO fraud is high, but organizations should not despair. With thorough end-user education and cyber hygiene practices in place, Businesses, their data, and their finances will remain secure.
About the Author:
Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie Shank is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.