Is that really you? CEO Fraud and how to avoid it

CEO Fraud illustrated by words on a bench saying take a little time to think

Rather misleadingly named, this isn’t fraud by your CEO, but rather by someone pretending to be the CEO (or some other senior staff member in your organisation). It is a particular kind of phishing attack, sometimes called business email compromise, and it works like this…

The attacker does a little bit of digging for information about your organisation, possibly using information freely available on your website, on LinkedIn, or on other social media channels.

Using that information, they craft an email that looks as though it comes from somebody senior in your company and send it to a carefully selected (usually more junior) employee. They might have got access to the senior person’s email account, but if not, they’ll forge (or ‘spoof’) the email address, so it looks as though it comes from the senior colleague.

That email will contain an urgent request for action. These actions will depend what department the employee is in, but might be along the lines of:

  • “Please transfer (a large sum of) money to this account urgently; there’s an important deal depending on it. Here are the details…”
  • “Can you pay these outstanding invoices for (a genuine client name) today? I don’t know what the holdup is but we need to pay it now—I’ll investigate when I get back. They’ve asked for it to go to their new account, here are the details… Thanks for helping out!”
  • “I’ve forgotten my login details for (some important company system) and need them urgently, please can you email them to me? I’m in a meeting, so can’t take a call, but need to log in right now.”
  • “I need prizes for that presentation I’m doing out of town/at XXX conference this afternoon: could you buy 5 Amazon gift cards (£1000 each), and send me a picture of the barcodes?”
  • “I need details of (something confidential) as soon as possible for our discussions today, please could you reply asap?”

The more sophisticated ones will be able to make the content inside the email look convincing. They might be able to use the knowledge found on social media that the CEO is indeed out of town, or making a presentation at a big conference. They might know the names of your biggest clients.

They might also be able to use the right tone of voice, get the look and feel of the emails right, matching the images, the signature format and so on. They might know exactly which systems, or what confidential information, they want to get hold of.

The employee is most likely to be eager to help and carries out the request… and unfortunately, the money or confidential information is gone.

How can you avoid becoming a victim of CEO fraud?

Typically, this kind of fraud creates a sense of urgency in the hope that the employee (who is probably very busy and just trying to be helpful) will act immediately and without following any normal processes.

Most importantly, you need to ensure that each and every employee knows about this kind of scam, knows what to look for, and knows that they will not be punished for double-checking.

Things to think about when you receive an email:

  • Is this a reasonable request? Why are they asking me to do this rather than someone else?
  • Is this a normal request? Am I being asked to do something that isn’t my job, or that doesn’t follow normal processes?
  • Is this a genuine email, or is something not quite right? Perhaps the domain name isn’t right, or the tone of voice isn’t right. Have they signed off as Robert, when they usually sign as Rob?
  • Can you contact them to check? Or check with IT, or with another, more experienced colleague?
  • Is the information in the email true? Are there in fact overdue invoices, for example?

You can put in place strong policies and procedures that require proper authorisation and approval before money can be transferred, or sensitive information shared.

And finally, there are a range of software products that can scan emails and filter out anything suspicious.

If you need help with awareness training, or with creating policies and procedures that will help secure your business, please contact Click and Protect on 0113 733 6230, or email us here.