CEO fraud is a simple scam that has cost businesses USD$26 billion worldwide since 2016, according to the FBI. We’re calling for CEOs to step up to protect their business. All it takes is a conversation.
What is CEO fraud?
1Password (like many others) has experienced a recent spate of phishing attempts. The team received emails from an attacker pretending to be me, asking for personal information. Although the scam wasn’t successful at 1Password, businesses all over the world have been less fortunate.
CEO fraud is a form of BEC (Business Email Compromise). An attacker spoofs the email address of the CEO or poses as them in an email. In the message, they ask an employee to transfer money to an account they control, or to provide personal or financial information.
Often, the message will invoke a sense of urgency and put pressure on employees to act quickly. Here’s a real example that resulted in USD$8million going missing.
“Hey, the deal is done. Please wire USD$8 million to this account to finalise the acquisition ASAP. Needs to be done before the end of the day. Thanks.”
If employees are in the middle of an important deal or eager to impress you, it’s easy to see how something like this could catch them off guard.
CEO fraud comes in different forms
In the example above, the email came from the CEO’s spoofed email address, and the attacker knew that a real deal was underway.
Often, this type of attack will have a different reply-to address, tricking an unwitting staff member into sending valuable information to the person running the fraud. In some cases, the domain is just one or two characters different from the real company email address.
Other attacks have been successful using just the name of the CEO. The email comes from a generic email address (Gmail, Yahoo, and so on), set up to look like the personal email of the CEO. Although the scam has many guises, it is essentially the same. A staff member receives an email, signed by someone important, asking for something valuable.
60 percent of emails involved in BEC scams don’t contain a link, so it’s difficult for security systems to detect them. Your team is your best defense. Everyone needs to be on the alert, but finance, HR, and executives are the most likely targets.
It’s for time CEOs to take action
We’re campaigning to raise awareness of CEO fraud in a bid to tackle it head-on, and we’re calling for CEOs to commit to doing the same. Your authority and influence have the power to really make a difference here.
You need to have a conversation with your employees. Let them know that you will never ask them to make a payment or to send personal information over email. When your employees are armed with the knowledge of how to spot and stop fraud, they’re much less likely to be manipulated into complying.
To help, we’ve put together a template to send your employees or use to guide meetings with your teams.
To tighten our security and protect our business, I’m writing to you to highlight a scam that’s costing businesses billions: CEO fraud.
We, as a team, are our best line of defense against such attacks, so please take a moment to read this carefully.
What is CEO fraud?
CEO fraud is when an attacker impersonates the CEO or another high-level executive via email to request either a payment or the transmission of personal or financial information. The email may come from my company email address, an email address very similar to mine, or one that looks like a personal email. For example, CEO fraud could come from an email address like this:
Example CEO fraud emails
“Please pay USD$10,000 to this account to finalize the deal I’ve been working on. This needs to be done by the end of the day. Thank you for your help.”
“I’ve forgotten the password and have been locked out of our banking system. Please send me the password ASAP as I need to close a deal today.”
What you can do about it
If you get an email from myself or someone else in the company asking you to make a payment or send confidential information, question it. If you are unsure, ask the person who sent it either in person (if possible) or via another channel (phone, instant messenger) if the email is legitimate.
Report anything suspicious to [name] [firstname.lastname@example.org].
Most importantly, I will never ask you for the following in an email:
- For you to make a payment
- Your own or company payment details (credit card numbers, bank details, and so on)
- Passwords, verification codes, or secret answers
- Personally identifiable information (phone number, personal email address, date of birth)
- To follow a link to sign in to a bank account
- For you to purchase iTunes or Google Play gift cards
If you ever get an email like this from me, report it immediately.
Thank you for your support in securing our business and protecting our employees.
Make it a company-wide effort
CEOs are valuable targets, and it’s vital that they lead the charge against this scam. But they’re not the only people in your organization vulnerable to Business Email Compromise. It could happen to anyone.
To defend against this fraud in all its forms, make it company policy to never ask for this type of information in an email and provide training on the subject as part of your onboarding process. That way you’ll be protecting your employees from day one.
91 percent of all cyberattacks start with phishing, so although the focus is on spotting suspicious emails, it’s also a good time to go over the basics of spotting all types of phishing with your team.
When employees feel confident and empowered when it comes to security, they’re more likely to make better decisions and spot scams. Remind them of the following good email security practices:
- Always question the legitimacy of any email. If something feels suspicious, double-check with the sender. Ideally, check in person. If you can’t, call or instant message them.
- Never reply to a request for personal information (for example, your Social Security number, phone number, home address) via email.
- Never send payment details, bank details, or passwords in an email. If someone sends you a link that takes you to a login screen, go to the website some other way (for example, via Google search, or by typing in the URL).
- Always scrutinize the email address of the sender, links, any URL you are directed to, or attachments you weren’t expecting.
- Be especially cautious of emails that trigger a warning banner or message.
We hope that you will join us in raising awareness of CEO fraud and Business Email Compromise. The more we talk about it, the less effective it becomes. All it takes is a quick email – or better yet, a training session – to equip your team with the knowledge they need to stop this underhanded scheme in its tracks.