Because of the urgency expressed in the emails, their “realness” and the (perceived) power of the sender within the organization, employees receiving these emails often act on them. Inspect emails with requests of a financial nature (transfers, changing payment information, etc.) very carefully. Pay special attention to the following elements:
The sender: Often CEO fraudsters use email addresses that are very similar to the real address of a CEO or manager, but contain slight variations. Links & attachments: Only click on links and open attachments you completely trust and if you fully trust the sender. BEC scammers often include links and attachments with malware in their emails in an attempt to steal your or your company’s data. Urgency: Usually CEO scammers will express urgency in their emails. They might ask you to make a big transfer the same day and tell you it’s urgent. Also, they often claim to be too busy (“I’m in a long meeting”) to discuss the request in further detail. Secrecy: CEO fraudsters will often make their victims believe what they’re about to do is “top secret“. For instance, they might say the fake merger they need money for is supposed to be a secret until it’s finalized. They do this to prevent employees from discussing fraudulent requests with colleagues or supervisors.
But what is CEO fraud exactly? How does it work? How do you prevent CEO fraud as an employee or company? What should you do if you’re a victim? What are some examples of big companies falling victim to CEO fraud? Cases of CEO fraud are only expected to increase. Here’s what you need to know about it.
What Is CEO Fraud?
CEO fraud is a (generally) sophisticated way to scam large companies and organizations. The goal is to deceive employees into transferring funds to scammers. To this end, the scammer will pretend to be the CEO, founder, or an important company employee. The perceived difference in the hierarchy within the organization can make “lower-ranking employees” quite intimidated to do what they think their “CEO” wants them to do. Often, criminals will contact an employee by email, requesting an urgent wire transfer. The email might look like something in the example down below.
Employees who are authorized to make payments or sign documents should be very aware of the dangers of CEO fraud. However, all employees within an organization can in theory be targeted. In fact, according to cybersecurity firm Barracuda, 77% of these attacks target employees outside of financial or executive roles!
Business Email Compromise (BEC)
CEO fraud is a form of Business Email Compromise. This type of scam relies on manipulating people’s behavior using deception (social engineering) by sending an email that claims to come from someone within the company or a related party, such as a supplier. This kind of fraud can and often does rely on very crafty techniques and strategies. Criminals can sometimes hack the CEO’s legitimate email account (or a manager’s account, for instance). Subsequently, they will monitor and analyze how the CEO or manager communicates. Now they can deceive others within the organization by using an email address and a way of being addressed that’s familiar to them.
CEO Phishing is Getting More and More Common
According to Barracuda, the average organization experiences 700 social engineering email attacks per year. As discussed before, attackers don’t always impersonate the CEO, but sometimes other executives. Regardless of who they choose to impersonate, the damage is often devastating: according to the FBI, such scams can cost billions. It’s very likely the real numbers are even higher. After all, not all attempts go reported. The same is likely true for many cases where the fiscal damage is relatively low. Moreover, the increase in remote work post-pandemic has no doubt increased reliance on communications. Hence, there is a high probability that CEO fraud cases will only increase.
How Does CEO Fraud Work?
There are two main strategies that CEO fraudsters use to scam companies. The first is by sending an email from a domain (the part that comes after “@”) that’s virtually identical to the actual domain name of the company or contains only very slight variations.
The above is called domain spoofing. This can be done in exceptionally crafty ways. For instance, there is a large company that operates all over Europe and sells consumer electronics, called MediaMarkt. Can you easily spot the difference between “example@mediamarkt.com” and “example@mediarnarkt.com”? This example shows just how similar CEO fraudsters can make different domains look. The second CEO fraud strategy is arguably even more dangerous: actually hacking an employee’s corporate email account, or even worse, an executive’s email account to send credible scam emails and get authorized employees to make fraudulent payments. There are different ways these hacks can happen. A common one is spearfishing: a calculated phishing attack that targets one specific employee. Scammers will mislead the employee by sending him an email that addresses him/her correctly and contains a credible story. They’re prompted to click on a link or attachment that contains dangerous malware. This dangerous malware actually allows criminals to hack the victim’s accounts, such as their email.
The attachment included in the fraudulent email above actually contains malware. Upon clicking the file it will prompt you to download a data-stealing executable.
Recognize CEO Fraud
Recognizing CEO fraud is essential to avoid significant losses. Criminals often create compelling emails that make it hard to spot CEO fraud. However, there are a few red flags that give them away.
Frequently used Business Email Compromise strategies
Before business email scammers attack an employee, they do their research. Once they know the person and what their responsibilities are and what they are authorized to do and what not, they will approach them with a “fitting” request. For instance, an account manager will most likely not be able to transfer millions of dollars without authorization. However, scammers might get them to purchase a few gift cards for “business partners” or to be written off as entertainment expenses. They might get the manager to change some payment information, providing the criminals with an easy way to drain a company. Depending on their target, CEO fraudsters generally try to get their victims to do one of the following things:
Transferring money for an (obviously fake) merger, to pay shareholders, or for some sort of project Purchasing gift cards, claiming that these are for partners or colleagues Changing payment information because of a made-up issue or change experienced by a beneficiary Getting them to pay fake invoices which are carefully crafted based on current company projects or previous invoices
Email warning signs
Apart from the CEO fraud strategy used, there are usually other warning signs within a CEO spear-phishing email. As such, we recommend paying attention to the following elements of the emails you receive:
The sender: CEO fraudsters often try to fool recipients by sending their emails from a domain (the part after “@”) that’s very similar to the actual domain of a company. Inspect the exact email address that the email came from, before taking any other action. Most email providers, such as Gmail, allow you to see the email address by clicking on the sender’s name. Links: Be mindful of any links you find in the email. After all, many spear phishers use malicious links to spread malware or steal login details. Be especially careful when you see shortened links (such as bit.ly links). You can check the destination of a link by just hovering over it. We also strongly recommend checking if a link is safe by running it through a tool built to do just this: such as Norton Safe Web. Attachments: Just like links, attachments are also often used to spread malware and steal information. As such, only open attachments when you expect them and from sources you trust.
Warning signs in the email text
The texts and messages in CEO fraud emails often share some common characteristics, which we’ll list below.
Authority: The emails rely on displaying (fake) authority, by urging someone to do something (rather than requesting) much like a supervisor would do. In other words, the criminals will abuse the position in the company hierarchy of the person they’re imitating. Secrecy: The fraudster stresses you’re not supposed to discuss his request with colleagues or managers. He’ll claim that it’s supposed to be a surprise or secret. He might claim for instance that he needs you to buy some gift cards as a surprise for some colleagues or partners. Urgency: Whatever the request, the fraudster will stress it needs to happen fast. After all, giving the employee little time to think clearly is an important part of the scam working. They will also stress the task given to the employee is very important. The employee thinks that they are going to play an important role in executing the strategy. Flattering the victim: Although pressure is an important element of these scams, so is praising the victim and making them believe they’re special. The criminals will tell them they’re the only ones who “can be trusted with this task.” Assurance (“everything’s okay” ): Generally the criminals will come up with an excuse for not being able to discuss the assignment in more detail. “The CEO” might claim to be in an important meeting. To assure the victim everything is okay, they might come up with a fake verification method. For instance, they could give the employee the phone number of a fake law firm. Since these people work together with the scammers, they will obviously assure the employee everything’s okay.
Preventing CEO Fraud
Now that you know examples of CEO fraud and the warning signs, the next step is learning to prevent it. There are different methods to protect yourself from these scams, but the most important one by far is raising awareness within your entire organization about these scams. Below we’ll give some specific tips for both employees and companies on how to prevent CEO fraud.
Tips for employees
As an employee at a (large) organization, you’re very likely to receive multiple CEO phishing emails during your career. Therefore, below we’ve listed some tips on preventing CEO fraud.
Always check out the sender. Click on the name of the sender to see their full email address. Check for any abnormalities. If the sender mentions a bank account in the email or in an invoice, always check whether the account number is among the ones currently known by the finance department. Keep educating yourself on the latest spear-phishing and CEO scams. Do discuss suspicious emails with a colleague or superior, even if the mail claims you shouldn’t. If you are let in on a company secret, you’ll most likely have to sign a non-disclosure agreement. Ideally, discuss a suspicious email request with the email’s sender or the one they’re imitating (by call or private meeting). It might seem daunting to contact your CEO or manager, but it’s still the best way to prevent CEO fraud.
Tips for companies
As a company, it’s almost impossible to completely protect yourself against CEO scams and other social engineering attacks. After all, a company’s security is generally only as strong as its weakest link (employee). Therefore, training your employees to recognize CEO fraud is crucial. Apart from that, be sure to follow the tips down below.
Establish clear protocols and rules in place for transferring large amounts of money. There should also be a double verification system for big transfers. Create and enforce clear rules and guidelines for changing payment details. Ideally, contact the partner, supplier, or a related party whose payment info is being changed directly for verification. Make two-step verification mandatory for every employee’s email account. That way, even when criminals obtain their login details, they won’t be able to access their accounts. Organize a security audit of your own organization. You can do this yourself, by sending your employees a phishing email unannounced at an unexpected time. Subsequently, it’s important to provide additional training to employees who fell for the scam. Alternatively, you could procure the services of a company specialized in these audits, such as Cofense. They offer both security audits and anti-phishing training. Make sure your organization invests sufficiently in cybersecurity. You might consider purchasing some tools are software that specializes in preventing phishing and CEO fraud, such as the ones offered by Cofense.
What to Do if You’re a CEO Fraud Victim
CEO fraudsters are exceptionally crafty in the way they trick their victims. As such, it’s highly likely at some point one of your employees becomes a victim of CEO fraud. If you’ve been a victim of CEO fraud, here’s what you can do.
Famous CEO Fraud/Business Email Compromise Cases
Finally, we’ll discuss some big CEO fraud/BEC scams to give you an insight into how these scams usually start and unfold. BEC scams often target billion-dollar corporations, and sometimes even governments!
Toyota Business Email Compromise scam
We start off with one of the biggest BEC scams ever committed. On August 14, 2019, scammers convinced an employee at the finance and accounting department of Toyota’s European subsidiary (Toyota Boshoku Europe N.V.) to transfer a whopping 37 million dollars (about 4 billion yen) to another account! The exact details of the case are unknown. However, some sources speculate the malicious party made the employee essentially panic into paying. They allegedly did this by claiming Toyota’s production would be slowed down significantly if payment wasn’t made swiftly. Creating this sense of urgency is a common CEO fraud and phishing trick.
Cinema giant Pathé invents new genre with “double CEO fraud”: cyberdrama
The next case serves just as well to show that even huge multinationals can fall victim to CEO fraud. In a way, this case concerns “double CEO fraud.” After all, someone pretending to be the CEO of the French parent company tricked the CEO of their Dutch subsidiary. They claimed they needed a hefty sum for the acquisition of a competitor in Dubai. The Dutch CEO was rightfully suspicious and discussed the matter with the CFO (Chief Financial Officer). After explaining to the criminals’ additional verification was needed, the scammers provided this, or rather, they sent another fake but very cleverly-worded email from a different account that the Dutch CEO fell for. The total damages of all the fraudulent payments amounted to about 22 million dollars. This happened back in 2018.
Puerto Rican government victim of phishing
This next scam shows that not just organizations and companies can fall prey to CEO fraud and spear-fishing scams. The same thing can happen to government institutions. On January 17, 2020, Puerto Rico’s Industrial Development Company lost over $2.6 million in a phishing scam. They were contacted by a malicious party, presumably posing as a partner or beneficiary. The criminals asked them to change a bank account tied to remittance payments. A Puerto Rican government official obliged, causing the devastating financial loss.
Scammers Are Getting More Creative By The Day
These examples ought to show you that scammers are getting more and more creative by the day. CEO fraud is a serious problem, especially for smaller businesses that simply can’t afford such losses. Other types of fraud are also becoming popular, such as help desk fraud or WhatsApp scams. It’s important to remain up to date with what’s happening so you can keep yourself safe.
Always carefully inspect the email address that the email you received comes from. Often CEO fraudsters use an email address that’s slightly different from the person they’re impersonating. Discuss suspicious emails with your supervisor or colleagues. Ideally, discuss the request you received by email in person or by phone with the email’s (impersonated) sender. Create and enforce clear rules when it comes to making payments and changing payment info in your organization.
