Protect Your Business from CEO Impersonation Fraud

Kelly Fung
By: Kelly Fung Cyber Security | 26 November

CEO fraud, also known as Executive Phishing or Business Email Compromise, is a type of cybercrime in which the attacker impersonates a CEO, CFO, or other company executive. It is a dangerous form of attack because the impersonator relies on the authority of the CEO to obtain extremely sensitive information or to acquire finances. These fraudsters use some simple IT tricks that may cost you a lot of money.

CEO fraud happens more often than you think

According to an FBI report released in 2020, the Internet Crime Complaint Center (IC3) of the FBI received 19,369 complaints involving Business Email Compromise that amounted to a total loss of approximately $1.8 billion. According to the FBI, these types of cybercrimes are on the rise – especially now that so many people are working from home.

In 2018 The Boston Globe uncovered that Save the Children, a nonprofit organization, lost about 1 million USD in an event of email impersonation fraud. Cybercriminals compromised an organization employee’s email account and sent out fake invoices and documents, leading the organization to send money to a fraudulent entity in Japan.

Toyota, a supplier of auto parts, fell victim to CEO impersonation fraud attacks and lost 37 million USD in 2019. Cybercriminals tricked and persuaded an executive in the company’s financial department to make a wire transfer, according to CPO magazine.

More recently, a cybercriminal even used artificial intelligence-based software to impersonate a chief executive’s voice and demanded a fraudulent transfer of €220,000 ($243,000) to a Hungarian supplier of a U.K.-based energy firm.

But it’s not just big organizations that are being targeted. Even smaller (family) businesses are at risk. In many cases, smaller firms are also being hit by these attacks. Since many cases of online crimes and fraud go unreported, both the number of incidents and the resulting actual losses are likely much higher than we currently know.

In this blogpost we’ll cover how CEO fraud attacks work and how you can easily see through their tactics.


What is CEO Fraud?

Cybercriminals will often use the email account of a trusted senior executive at a company (like a CEO) — or an email address that looks very similar — to trick an employee into transferring them money or extremely confidential information. The attacker pretends to be a trusted person to guarantee that the target does what they’re told. Many smart, well-intentioned employees are reluctant to question a request from their CEO and will simply comply with their requests.

CEO fraud is not to be confused with “whaling”: a phishing attack where the cybercriminal targets a CEO or other senior company employees, rather than impersonating them. CEO-fraud also differs from phishing because cybercriminals also implement other kinds of social engineering strategies, like phone scamming.


How CEO fraud attacks work

Like all social engineering attacks, CEO fraud attacks exploit people’s feelings of trust and urgency. When the CEO needs an urgent favor, employees don’t tend to second-guess them..

There are two main ways cybercriminals can get access to a CEO’s email account:

  • Hacking: Compromising the CEO’s business email account and using it to send emails to employees.

  • Targeted phishing e-mail, also called spear phishing (spear phishing): Sending an email from a fake, almost identical email address as the CEO and impersonating them.


The seven most common CEO fraud attack scenarios

Awareness is key when it comes to prevention. That’s why we’ve made an overview of the most common CEO fraud attack scenarios:

  1. Wire transfer phishing: An employee receives a message from a hacked or spoofed email account of a CEO to pay an invoice.

  2. Gift certificate phishing: The attacker asks the targets to buy them gift certificates (for example, as a surprise to a fellow employee).

  3. Malicious payload: The email contains a malware attachment (phishing).

  4. Money transfer to a foreign supplier: This scam is targeting long-standing wire-transfer relationships with a supplier but asks for the funds to be sent to a different bank account.

  5. Fraudulent invoices: Company suppliers receive fraudulent invoices from an impersonated executive which, you guessed it, they request to be paid to an alternative bank account.

  6. Confidential information: The cybercriminals pretend to be lawyers or executives dealing with confidential and time-sensitive business manners and request classified information.

  7. Data theft: A “top executive” requests the HR department, accounts, or auditing department to send all wage or tax statement forms or a company list of personally identifiable information.

E-mails are often followed up by phone calls from a person who may sound very trustworthy and who asks the employee to accelerate the payments. Upon payment, the cybercriminals will retransfer the amounts to accounts with other banks.


How to prevent CEO fraud

It is important to provide company employees with security awareness education and knowledge that reinforces the importance of paying attention to email addresses, company names, and requests that have even a hint of suspicion. It is also vital that you have measurements in place to prepare your employees for sophisticated phishing attacks.

Sometimes all it takes is paying close attention to emails, website URLs, text messages, or voicemail details, and spotting that there’s a spelling error or that a slightly different email address is used.

It is also wise to have company guidelines in place when it comes to money transfers. For example, a guideline could be that employees should use multi-factor authentication for payment requests. These guidelines should be noted down in an Acceptable Use Policy.


Protect your company against CEO fraud

The CEO impersonator will often try to put pressure on the employee by setting tight deadlines. To do an accurate impersonation of the CEO, they often do very meticulous and detailed research, and take advantage of situations where the executive in question is not easily accessible – for instance, if he or she is on holiday or at a conference. So, what can you do when you receive an email as an employee and suspect CEO fraud?

  • Be on guard for payment requests that are unexpected or irregular, whatever the amount.

  • Verify every money-transfer. Any payment requests with new or amended bank details received by email, letter, or phone should be verified. This includes internal emails containing payment requests.

  • Always check with the person you believe sent the email to make sure it is from them, no matter how busy you both are. If they are not available and the email has requested an urgent reply, check with one of their senior colleagues. But do not verify this by email in case their account has been hacked. Instead, make a phone call, ask in person, or use some other trusted communication method.

  • If in any doubt, do not make the payment, however urgent it may seem or whatever the suggested outcome(s).

  • Educate all staff regarding this type of fraud, particularly those that make payments or install files.

  • Implement two-factor verification before a payment is sent.

  • Be cautious of how much information you reveal about your company and key officials via social media platforms and out-of-office automatic replies.

  • Consider removing information such as testimonials from your own or your suppliers’ websites or social media channels. This information could lead fraudsters to knowing who your suppliers are.

So, there you have it. An overview of what CEO fraud is and what you can do to prevent this from happening to your company. But what should you do if your company falls victim to CEO fraud?


Urgent steps you need to take if your company is victim of CEO fraud

We mentioned before that an unauthorized transfer of funds, a breach of confidential information, and a system being infected by malicious malware can all fall under CEO fraud.

In case of a fraudulent money transfer, you should:

  • Contact your bank immediately and speak with their cybersecurity department.

  • Contact law enforcement.

  • Call an emergency meeting to brief the board and senior management on the incident, steps taken, and further actions to be carried out.

  • And finally, enforce your cybersecurity measures and bring in IT security specialists.

If a malware attack happens, you should contact the IT department immediately. Your company’s IT team can stop the infection from spreading or from compromising your or the company’s personal data.

If there was a breach of confidentiality, it’s best to contact the Data Protection Officer (DPO). The DPO knows all the necessary protocols on how to respond internally and publicly, since you must report it to authorities within 72 hours.

We hope this article will help you and your team prevent CEO fraud from ever happening in your company. The best way you can ensure this is by training your team and making them aware of CEO Fraud.

Consider looking at this free e-book we have written about how your team can become your best defense against cyberattacks and data breaches.