CEO Fraud: The $1.2 billion cybersecurity problem


The FBI has put a price tag on a security issue that’s threatening to ruin businesses. According to their figures, $1.2 billion has been lost to so-called “CEO Fraud,” a particularly damaging form of phishing attacks. 

Most often, these attacks, sometimes called Business Email Compromise (BEC) scams, start with a spearphishing campaign against high-ranking company officials.

Then the reconnaissance phase begins, according to Brian Krebs.

Finding patterns

Attackers will take their time with the next phase, gathering intelligence on the target. By observing their email habits, they’ll be able to ascertain who the C-level deals with through email correspondence, especially as it relates to money transfers and payments.

Using this information, they’ll request a large money transfer be made to an account (usually overseas, often in Asia), and wait for the money to come in.

In other instances, attackers may not have access to an executives email account, but will scrape information from the company’s website to find who handles invoices and then sends the request using an address that appears to be from the executive with a slightly misspelled domain name.

Billions stolen

To date, CEO Fraud attacks have been found in all 50 states and several countries worldwide. On average, the attack will net about $100,000 each time it’s successful.

That has led to a $1.2 billion industry worldwide, according to the FBI.

Part of the reason it’s so successful: It evades security tools, relying instead on human intel and mimicking established behaviors. So while a smash-and-grab phishing attempt may be crude, sent to hundreds or even thousands of recipients and can be detected easily, CEO Fraud puts more time in upfront to reap larger rewards later.

If the attack works and the payment is made, the first indicator something is wrong will be when the money has already left the business.

Preventing attacks

The best way to prevent an attack would be to shore up your anti-phishing measures – especially for the C-level, accounting and other key personnel. Make sure they realize that it’s always better to verify requests in-person or over the phone if they have doubts about them.

For IT’s part, if you notice what appears to be a breach or compromise, but there’s no immediate fallout, proceed as if you’ve been compromised. Err on the side of caution by forcing password resets in case what you’ve discovered is an initial attempt to conduct cyberespionage rather than an isolated incident.

Finally, make sure there’s an official system and policy in place for financial requests. Sticking to policies that include multiple forms of verification can help your people realize when a request isn’t conforming the established procedures and can put a stop to it before the damage is done.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy