CEO fraud attacks spoof or hijack executive email or other accounts to get employees to wire money or reveal sensitive information

“CEO Fraud Attack” Readiness is Only Assumed

CEO fraud attacks succeed due to untested, unjustified confidence in employee readiness. Enterprises must take them more seriously. The scam’s tactics and techniques are hardly indefensible. Employees simply are not prepared. Quick confession: I once thought such confidence was warranted. However, numerous real-life examples changed my mind. We need others to change their mind too.

CEO Fraud Problem Pervasiveness & Impact

The FBI reported the following last year:

  • $2.3 billion worth of such scams succeeded over three years
  • Since January 2015, the FBI has seen a 270 percent increase in identified victims and losses
  • From October 2013 through February 2016, law enforcement received reports from 17,642 victims
  • In Arizona the average loss per scam is between $25,000 and $75,000.

Here’s a sampling of reported examples:

  • Toy maker Mattel lost $3 million in 2015
  • Tech firm Ubiquiti lost $46.7 million in 2015 (recovered $8 to $15 million)
  • The Scoular Co, a commodities trader, lost $17.2 million in 2015
  • Leoni AG, a manufacturer of electrical cables, lost 40€ million in 2016.

Cyber Insurance and Other Losses

Do not assume that your cyber insurance has you covered for CEO fraud. This article by Brian Krebs reports that insurers are pushing back. Assume nothing until this has been contested in the courts.

And do not assume fraudsters only pursue wire transfers. Seagate HR folk were fooled into exposing over 10,000 W2 forms for current and former employees. A similar incident hit SnapChat in 2016 as well.

The Least You Need to Know of CEO Fraud

CEO Fraud tactics usually involve spoofing emails from executives and leveraging the trust and fear those executives have with employees to coerce them into transferring money or revealing confidential data. Technically, the emails either involve a similar email domain or a compromised executive email account (Business Email Compromise). Technology sometimes detects the former, but such they are not mass emailed and makes detection less likely. The later can only be detected via human nuance where an employee’s familiarity with the executive contrasts with something in the fraudster’s email, evoking suspicion.

BTW, fear of executive wrath is a scammer’s best friend. The more you see this in your organization, the more susceptible it is.

Fortunately, a vigilant verification process with a wary corporate culture can defeat any variant. Here’s the problem: a policy document pertaining to this issue is worthless. Note the adjectives “vigilant” and “wary”.  After all thousands of these attacks succeed every year because organizations are making asses of themselves by assuming they have these adjectives covered. Scammers are fooling smart, seasoned people with plausible scenarios, usually after having done some considerable research on the target.

The details for a verification process are fairly obvious and easily found. The seriousness and tactics of the scams are as well.

What You Need to Do about these Social Engineering Risks

CEO Fraud is like any other cyber readiness issue. Nothing tested, nothing exercised, means nothing is ready! For this reason it is important to be ready for such scenarios.

And, please don’t assume your peers get this. This is why the bad guys are succeeding and their numbers are growing with news of their success. Please help spread the word that while stupid cannot be patched, foolishness and fear can be tested and corrected.

Finally, a tip about testing. It’s effectiveness is proportional to the plausibility of the test scenarios. In other words, you should devise scenarios that are even more credible than those conceived by scammers. After all, they are often thousands of miles away that speak a different language. If you outsource this, do not settle for generic scenarios. Insist on those tailored to your organization. Your adversaries will!

Many weak cyber postures exist due to low urgency. Spread the urgency, and the call to action is “take CEO Fraud seriously”.