Maybe you shouldn’t ignore it, but at least wait a few minutes before responding to any urgent request. Nothing makes employees snap into action like a message from the CEO. Which is why CEO Fraud has become such a problem. No, Chief Executive Officers are not engaging in dirty deeds at any higher rate than they have before. Hackers, posing as CEOs, are using employee’s immediate deference to their top leader as a way to get sensitive company information and even bank accounts. Even if you and your staff are just hearing about it, CEO Fraud — better described as CEO Impersonation — is not new. In 2016, the FBI reported a one-year, 270% increase in CEO Fraud, or as they characterize it BEC (Business Email Compromise). The FBI reported 17,000+ victims and 2.3 billion in losses in a three-year period. Is your organization at risk?
As with most Social Engineering attacks, CEO Fraud is not a spam email from Nigeria written in broken English. These planned attacks start by learning about a company’s top executive. Using LinkedIn and Facebook profiles, as well as any information and interviews available in a Google search, thieves will build profiles of both the CEO and other employees. Using those profiles, they will find mid-level employees with access to accounts or records and find a weakness or distraction to exploit. Email imitating the CEO will be targeted to a specific employee. The request will be specific and urgent, but within the target employee’s authority. Because there is a natural reaction to please the boss, workers will put aside other tasks to complete the requests quickly. That sense of urgency is often all it takes to distract an otherwise cautious person into careless action.
While common sense is still the first defense against cyber fraud, there are additional red flags that should trigger extreme caution:
- Any email or phone request with a short deadline or high level of URGENCY.
- Any unfamiliar email signature.
- Tone or language that doesn’t fit what is known about the alleged sender.
- Any name or greeting using unfamiliar nicknames.
- Unfamiliar email addresses or phone numbers.
- Any requests that suggest or would require bypassing policies or standard procedures.
Even absent these indicators, a message can be fraud. Criminals are sophisticated, and the bigger the potential reward the greater care they will take in constructing the con.
Follow these steps to avoid CEO Fraud attacks:
- Never answer requests for sensitive data or money transfers by replying.
- Respond with a new email to the correct address you know from the company directory.
- Respond to requests in a different form entirely. Confirm important requests with an instant message, text, or phone call, to numbers already known.
- Never respond using contact information included in the original email.
One of the critical factors in cyber-attacks against humans is that it only takes one distracted person to succeed. You are reading this, so for now, you are not that weak link. What about the people in the next office? Every company needs a culture of security awareness, with constant reinforcement. Share this post. Start the conversation and keep your organization from being the next victim of CEO Fraud, Spear Phishing, or any of several other staff based cyber security attacks.
— ♦ —
Frontier security experts can schedule a security check-up and train your full staff to be alert to every cyber security threat.