What is CEO Fraud?

CEO Fraud is a type of Business Email Compromise in which the malicious actor pretends to be a figure of high authority, often the CEO, to try and get an employee to transfer funds to their account or divulge sensitive information. CEO fraud is one of the most common types of phishing and social engineering attacks faced by organizations since employees are hard-wired to follow orders from authoritative figures with little question. This coupled with the fact that a CEO is usually in a position to ask employees to do tasks urgently and discreetly, is one of the reasons this attack method is particularly successful. This attack differs from Whaling which is an attack in which involves targeting CEOs and other C-level employees as opposed to impersonating them.

How does CEO Fraud work?

Firstly, the attacker needs to find a way for the sender email address of the phishing email to appear as close as possible to the real one. This is normally carried out either by hacking the CEO’s mailbox, spoofing emails to look like they’re coming from the CEO, or, most commonly, by using an email address that looks similar to the CEO’s real one (for example by using techniques such as typosquatting). The attacker may even choose to set up a fake email domain or use a free email provider to make it look like the CEO is using their personal account, giving an excuse why they are doing so. Employees are even more likely to fall victim to the lure if they use a mobile app to view the email which usually only shows the display name rather than the full address.

The email would typically instruct the employee to transfer company funds to a bank account the attacker controls citing some business-related reason such as an urgent payment that needs to be made which requires immediate action. The sense of urgency is important to an attacker to ensure that the employee feels pressured to abide by the request immediately instead of double-checking. Of course, this isn’t always possible when wiring large sums of money since there would be processes and policies that finance departments have to follow. The more resourceful of attackers would find out such things beforehand and exploit them. Hence they would target employees who hold senior positions in the HR, finance or, IT departments due to their power and their access to resources and information.

This is what happened to Mattel in 2015 in an attack that almost cost the company $3 million. The attack started with the scammer sending an email impersonating the company’s new CEO to a finance executive asking for a new vendor payment to China. Unfortunately for the company, the attackers had done their homework; they knew that as per company policy, such transfers required the approval of two-high ranking executives which meant that the finance executive didn’t need to ask anyone else before sending the money. The attackers, however, got unlucky with their timing — they failed to consider that the day following their attack was a bank holiday in China. Fortunately, this gave Mattel time to block the transfer and recover the stolen funds.

What are the indicators of a CEO Fraud attack?

Each case of CEO fraud is different, but each one has some common features which identify it as this type of attack.

1. Domain impersonation — This is a common strategy in which the attacker will attempt to impersonate the email address of someone within the company most convincingly by setting up a fake domain. If you notice that this is the case, not only should you not interact with it but should also raise awareness within the company to ensure that the domain is taken down.

2. A sense of urgency — Everything from the subject of the email to its content takes an urgent tone to try and minimize the duration of the attack and to create a sense of panic in the recipient. This tends to lead people to make hasty, uninformed decisions.

3. An authoritative tone — The person the attacker is trying to impersonate is a person of authority, hence the attacker tries to look the part.

4. Appeal to emotion and trust — The attacker may choose to include phrases such as “I am counting on you” to make the employee feel special to have been directly chosen for the task.

5. New account details — How can an attacker provide a seemingly valid reason to transfer funds to an illegitimate account? Attackers frequently use the simple ruse of a last-minute change in account details. While it may seem like an obvious red flag, it’s still a very effective technique.

6. Lack of grammatical mistakes — Contrary to many low-effort phishing attacks, CEO fraud emails are generally well written since they usually impersonate highly educated individuals who are less likely to make rudimentary spelling or grammatical errors. Naturally, this makes the attack more difficult to spot.

What are the consequences of CEO Fraud?

A CEO fraud attack aims to steal funds or data from an organization. A successful attack will not only achieve just this but will also damage the reputation of a company and its employees. One of the biggest fraud cases in history is that of the Austrian aerospace company FACC AG in 2016. An employee at the company received an email asking them to transfer the sum of forty-two million euros to another account for a particular acquisition project which appeared to come from the company’s CEO. The company was only able to recover roughly a fifth of this amount but the damage could be even higher when considering remediation cost, damage to brand reputation, lost business, and drops in share price.

Is there a way to prevent CEO Fraud?

Attackers may try to reel their victim in but as always with phishing attacks, it all depends on whether the targeted audience takes the bait.

• As an organization, it is important to ensure that all employees are aware of phishing, social engineering, and, specifically, CEO fraud. Phishing simulation is one way to gauge, track and improve employees’ security awareness;

• As an organization, ensure that illegitimate email addresses can be detected through the implementation of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). This helps in the prevention of many spoofing attacks;

• Educate employees to never make rushed decisions when faced with situations like those mentioned in this article. Instead, employees should be encouraged to take a moment to ensure that it is a legitimate request, asking for help where necessary;

• Be aware of what and how much information about the company and its executives is publicly available such as through social media and out-of-office automatic replies. An example of such information is who the suppliers of the company are which may help an attacker craft a more convincing pretext;

• Ensure that employees make use of software or hardware-based multi-factor authentication (MFA) to help protect their accounts from possible hijacking, SIM swapping, and related attacks;

• Have a proper policy in place for the approval of the wiring of large sums. If possible, also require verbal approval.

As long as phishing, and more specifically, business email compromise (BEC) remain lucrative avenues, cybercriminals will keep evolving their techniques and evading defenses to reap their ill-gotten gains. CEO fraud provides cybercriminals with a convincing front by impersonating authoritative figures within an organization and is being used in an ever-growing range of attacks against a wide variety of targets — sometimes even so far as to include customers, suppliers, or other third parties.

In today’s information age, it is increasingly becoming expected of organizations of all sizes to prepare for such scenarios by having the proper policies, testing, and prevention measures in place to stay ahead of the curve, or at very least, make it harder for offenders to pull off their heists.