According to figures from the FBI, CEO Fraud (what the FBI calls Business Email Compromise) earned cybercriminals $3.1 Billion dollars between January 2015 and June 2016, that's almost $6 million a day! Here is a step by step breakdown of how it actually works:
It begins with gathering data
The first thing hackers do is see if they can spoof your domain and ultimately, the CEO's email address. They will often troll companies for months learning about key players who control wire transfers and employees' personally identifiable information (PII), like W-2s. They study how the CEO communicates as well as how the target company operates to make their impersonation as believable as possible when they're ready to attempt an attack.
Next, the phish
A spoofed email is then sent to the person in control of what the hacker is seeking. This is typically someone in the finance department, HR department or a member of the executive team. The message normally implies a sense of urgency in an attempt to get the phishing target to do what they ask without question. Another tactic used is waiting until the CEO is on vacation, out of town, etc. Here are a few real world examples of the emails:
- "I'm out of the office but I need you to handle this wire transfer for me ASAP"
- Spoofed message from a legitimate vendor with 'new account information'
- The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters
- An employee’s email account is taken over and the hacker sends invoices out to company suppliers, money is transferred to bogus accounts.
- Especially this time of year, asking for tax information and W-2s is at its peak
The response (...the part where security awareness training can prevent an attack)
In successful CEO fraud cases, the employee receiving the phishing email acts on the sense of urgency without hesitation, and without verifying the request using an out-of-band line of communication ( pick up the phone). In many if not all cases this happens because the employees are not aware of what domain spoofing is and assume the message is really from the CEO. All employees NEED to be trained to spot an attack like this from a mile away!
Then you see the damage
The cybercriminals have gotten what they hoped for. Fraudulent wire transfers have been initiated and/or PII is now in criminal hands.
But wait... there's more!
The fallout after a successful attack can be devastating to the company and its employees. Here are some possibilities, and no we didn't make this up. These are things that have happened to CEO fraud victims:
- Money is gone forever in most cases. The FBI estimated it's only recovered in 4% of cases, and usually only happens if the fraud is discovered within 24 hours
- CEO and/or CFO gone (see Xoom, FACC AG, SS&C Technologies Holdings)
- Lawsuits Filed (see Seagate, SS&C Technologies Holdings again)
- Intangibles including loss of trust, tarnished reputation, etc.
Let's stay safe out there. CEO Fraud proves how it pays to always Think Before You Click!
CEO Fraud Prevention Manual Download
CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This brand new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.
PS: Don't like to click on redirected buttons? Copy and paste this link in your browser: