It’s an awful crime to pose as someone else for purposes of personal gain.
The Federal Bureau of Investigation (FBI) says that CEO fraud is now valued to be a scam worth $12 billion. 2018 saw an increase of 136% in losses at a global scale.
In the US alone, CEO fraud has been documented in all states. In an international scale, the scam has been reported in 150 countries. This cements the fact that it is becoming a more sophisticated crime.
What is CEO fraud?
CEO fraud is a scam that involves impersonating an organization’s senior executive (most commonly the CEO), with the aim of diverting payments, executing unauthorized transactions, or divulging confidential information to a fraudulent destination such as a bank account or an email address.
Fraudsters usually target an organization’s finance department by phone or e-mail.
But how exactly do they carry out the fraud? Let’s take a good look at how it goes from start to finish:
Conception
This is the stage where most of the researching, stalking and extracting of information takes place. Fraudsters gather the relevant data to initiate the fraud.
This may well be the time when trash intelligence (TRASHINT) is practiced. Small and medium enterprises are the common targets, since confidential information may not be disposed of properly.
The CEO is always the perfect target. Fraudsters take advantage of a CEO’s natural position of authority to make sure their employees follow what they say without knowing their real identities.
Once fraudsters set their eyes on who to impersonate, they replicate the entire persona based on the data they gather: personal information, academic background, service record, family background, and even the traits and personality.
If one minor detail gives them away, it will be the end of their plan.
How to thwart this stage: Prevention is key. Undertake small yet sure measures to keep data secure. Shred all confidential documents that are of no use anymore. Regularly train employees on information security.
Attack
This is the stage where the attack methods are executed.
Phishing
Fraudsters send phishing emails to a large number of users at the same time, in the hopes of “fishing” out confidential information. These are often complete with logos, slogans, and other company-related branding.
Phishing emails, under the guise of the CEO as the sender, may be sent to employees of the company’s finance department asking for urgent details about the tax information of all the workers.
Spear phishing
This is a more focused kind of phishing. Fraudsters determine who to send phishing emails specifically to.
In typical spear phishing, fraudsters may send a spoofed email to an employee, indicating the complete name—to make it sound legitimate.
Executive whaling
The trolls target the company’s VIPs—top-level executives, administrators, directors—in an attempt to extract money from company accounts or get hold of sensitive financial data. This is a more sophisticated method of attack that requires more in-depth knowledge about the VIPs and the organization itself.
Social engineering
This employs psychological manipulation to trick unsuspecting people into giving access to their funds or disclosing sensitive information. Social engineering gathers information from social media sites and mines a lot of data from a user’s digital footprint.
Here are classic templates of CEO fraud:
Mary, this is urgent. I need you to transfer $200,000.00 to this account number xx-xxxx-xxx. I am on vacation so I am unable to do this myself.
Edith, please reply to this e-mail with an attachment of all our employees’ W-2 and their contact details. I need it ASAP for our company’s accreditation.
How to thwart this stage: Hire a professional cybersecurity specialist to train your own IT security team. Devise defensive strategies to make sure no breach will occur.
Response
This is the stage where the target receives the correspondence from the fraudster. The unsuspecting target will immediately act on the instruction from the fake CEO.
Often without further reflection or questioning the source of the correspondence, the target then proceeds to follow the orders of the boss.
This is the make-or-break of the scam. The target may follow what the instruction says should be done, then realize that it is all a fraud. Or, the target may exercise critical thinking and common sense amid the false sense of panic created by the fraudster—and goes on to investigate if the instruction is legitimate or not.
How to thwart this stage: Execute a standard operating procedure on wire transfers and information retrieval. Employ point persons and regularly train and orient employees on detecting fraud. Emphasize transparency at all times.
Damage
This is the stage where the actual breach takes into place. Money has been transferred or information has been divulged. Either way, a massive data breach occurs and places the entire organization at risk.
At this point, we can say that the attack is successful, as fraudsters have gained access to what they are really after.
How to deal with this stage: Unfortunately, there’s no point thwarting this stage when the damage has been done. The organization should perform damage control measures at this point and ensure that remaining funds and information should not be accessed.
Outcome
This is the stage where the damaging results of the CEO fraud are evident. The employees and the organization itself suffer from the scam.
In most cases of CEO fraud, only a mere 4% of the total money lost is recovered. In some instances, absolute recovery is next to impossible.
The rest of the damage occurs in a domino effect:
An investigation takes place, incurring additional resources
Following command responsibility, people get fired including the CEO, CFO, and their subordinates
Lawsuits are filed against those proven to be negligent
The company loses its positive image, sales immediately drop, the public loses trust
How to deal with this stage: Allow the legal department to conduct an internal investigation. Hire a third-party security team or intelligence specialist to gather more information. Coordinate with law enforcement agencies to pinpoint the attacker. Form a capable PR team to execute aggressive and effective damage control measures. Re-hire employees if needed.
