One of the most successful cyber-attacks of 2022 was CEO fraud, also known as business email compromise. It is one of the most profitable types of attack and has seen a significant increase, said cybersecurity training and awareness company KnowBe4 Africa content strategy senior VP Anna Collard.

Cybercriminals impersonate the CEO or a high-level executive using email, deep fakes or audio files to trick staff into providing access to critical business information, systems or even authorising fraudulent payment transactions. It is pervasive and requires that companies pay very close attention to security protocols that are designed to mitigate this threat, she explained.

“This type of fraud is one of the most prolific at the moment, probably because it has been so successful. Essentially, the cybercriminals either spoof or compromise the CEO or executive’s email and then use this to send instructions to key employees.

“Sometimes, they even combine these messages with voice notes using deepfake audio to mimic the executive’s voice, and instruct employees to transfer money or provide password information or give them access to certain systems. The fake CEO is so convincing that employees do exactly as they are told,” she explained.

Overcoming the threat requires both financial controls, such as segregation of duty so that no single person is responsible for every stage in the payment process, as well as awareness training.

This involves constant reminders and awareness training across every level of the company that underscores the insidious nature of social engineering and the risks of business email compromise, noted Collard.

“Training and awareness are absolutely the best line of defence against the BEC attack. This can potentially stop the initial phishing attempt that exposes the CEO’s information in its tracks, and, if that fails, it can even prevent the payment from taking place because the employee is asking the right questions instead of racing to do what they are being told.

“If people are aware of how these scams are perpetrated, they can make informed decisions that can save the company millions,” she highlighted.

Further, the success rate of business email compromise is high because the attack vector works purely on social engineering a human and without the use of any malicious software. Attackers play the long game when it comes to penetrating the systems and gaining access to the CEO’s emails.

“It usually starts out with a phishing campaign. Users in the company are targeted with phishing emails that ask them to enter information into very realistic-looking websites. These emails are designed to lure employees in so that they accidentally hand over their account details to the cybercriminals.

“Once they have those, they enter into the company system and attempt to compromise the CEO or other people at the executive level, such as the CFO. Once there, they can build compelling business email compromise scams by sending emails directly from the compromised accounts,” Collard said.

Once the hackers have access to the CEO’s email system, the chances of them succeeding at siphoning millions from the organisation increase exponentially. According to the US Federal Bureau of Investigation, the price tag attached to business email compromise scams exceeded $43-billion in 2022.

Further, according to a recent cybersecurity company Trend Micro report, respondents believe that the top cyberthreat of 2022 was business email compromise and that they saw an increase of successful cyber-attacks from 84% to 90%.

“The problem is that this type of attack is easy to perpetrate once you have all the right information. Who can argue with the CEO, if they are messaging you and asking you to make an urgent payment because they are busy boarding a plane? Or with an email that asks you to pay a supplier urgently? People get nervous and try and do the right thing. That is why this attack is so effective,” she added.