By Anna Collard SVP Content Strategy & Evangelist at KnowBe4 AFRICA
CEO Fraud – also called Business Email Compromise (BEC) – is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorised wire transfers, or sending out confidential personal information.
In the first three months of 2020, invoice and payment fraud BEC attacks increased more than 75%. The rise was even more pronounced from April to May. Over that period, the volume of these types of BEC campaigns shot up by 200% per week, according to Abnormal Security.
The spike in the number of CEO fraud attempts indicates that cybercriminals are becoming more successful with this tactic than any other form of social engineering and have been benefitting from the confusion associated with the sudden enforced work from home situation.
This is how the bad guys do it:
1. Initiation
The attacker will compromise a business executive’s email account or any publicly listed email. This is usually done using phishing methods, where attackers create a domain that’s similar to the organisation they’re targeting, or by tricking the target into providing account details. They perform a fair amount of research, looking for an organisation that has had a change in leadership or where executives are traveling, and then use these events to execute their scams. Often the first email request will not have any links or attachments, but rather attempt to initiate a communication flow, requesting very basic forms of information, such as how to get help paying an urgent invoice.
2. Social Engineering
Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. Often by applying a low-grade form of fear, authority, urgency or flattery, they will trigger the target’s emotions in order to suppress his/her critical thinking.
The label of this category of cybercrime may be CEO fraud, but that doesn’t mean the CEO is always the one in a criminal’s crosshairs. Anyone with privileges to make, approve or influence payments as well as with access to personal or sensitive corporate information may be at risk. In one example, the attacker impersonated an actual vendor used by the target organization. Over the span of two months, the person emailed several employees trying to convince someone to change banking details and redirect payment of a legitimate invoice to the attacker's account.
Here’s what you (the good guy) can do:
1. Identify your high-risk users: These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas, including a review of social/public profiles for job duties, hierarchical information, out of office details, or any other sensitive corporate data, and identify any publicly available email addresses and lists of connections.
2. Institute technical controls: Implementing tools such as two-factor authentication, email filters, and managing access/permission levels for all employees are some of the ways to ensure the organisation has the highest defences possible against the bad guys.
3. Develop a security policy and standard procedures: Recommended company procedures should include:
o Make staff are aware of security policies around email usage and risks
o Establish how executive leadership is to be informed about cyber threats
o Have sound financial controls in place, such as multiple approval steps before any payments can be made
o Implement verification processes for new suppliers as well as any requests for bank account changes
o Establish a schedule to test the cyber incident response plan
o Register as many company domains as possible that are slightly different than the actual company domain
4. Training for all users: No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimising the dangers of Business Email Compromise. The best training programs harness user education to make sure any threats are prevented.