CEO fraud: How to keep your users safe
Cyber criminals come up with new scams to dupe users every day. Most employees receive and open email messages on a daily basis, and all a cyber criminal needs is to get a user to click on one email that they shouldn't.
One of the most common email scams that has affected businesses around the world in recent years is CEO fraud. In this article we'll look at what this pernicious scam involves, and how you can help keep your business safe.
- What is CEO fraud?
- How can users safely respond to requests from senior management?
- What does a CEO fraud email look like?
- How can you protect your business from CEO fraud?
What is CEO fraud?
CEO fraud is the use of email messages to impersonate a company's CEO in an attempt to dupe employees into giving up money or sensitive information. Similar scams could impersonate another senior member of staff.
Due to the authority possessed by a senior executive, any email sent by them to a member of staff is likely to receive immediate action. An employee will want to appear responsive and quick to help out their company management, so they are likely to spring into action without stopping to think about what they are doing.
The urgency and authority that is inherent to communications from a senior executive is what makes CEO fraud scams so difficult to deal with. It is hard to train users to question any request made to them by a superior, which is why cyber criminals repeatedly dupe users in companies all across the world with this scam.
Example of a 'CEO fraud' phishing attack
Watch this quick video from the BBC showing how attackers leverage stolen credentials on the dark web to send phishing emails from high-level executives.
You'll also see an example taken from usecure's very own uPhish template library.
How should users respond to email requests from senior management?
Training users to deal with requests and emails in the correct manner is key to dealing with CEO fraud scams. If users take the right precautions whenever they receive an urgent or unusual request, it will be much harder for a cyber criminal to slip in an email unnoticed.
It's important that all members of staff in your business know:
- Always verify unexpected requests for payment over a call or in person. An employee should never be making an unexpected payment, especially for a larger sum of money, with verbal confirmation from the executive requesting it.
- Stop to think when an email tries to create a sense of urgency. An employee never wants to get caught hesitating when they are asked to act by one of their superiors - but it's important to consider whether an email is artificially trying to create a sense of urgency to get the recipient to overlook their normal good judgment.
What does a CEO fraud email look like?
Here's an example of a CEO fraud phishing email. In this scam, the sender impersonates the CEO of a company and asks an employee for 'help' while they are out of the office. The 'help' involves making a payment to a new bank account - one controlled by the cyber criminal.
Since a CEO holds authority over the functions of a business, it is likely that employees will promptly carry out any request given to them by the CEO. As such, emails like this have a very high success rate in defrauding companies of their money.
How can you protect your business from CEO fraud?
Any employee can be at risk of falling for a CEO fraud scam, but there are actions you can take to significantly reduce the risk factor in your company. With the proper technological safety measures, training courses and testing solutions, employees will be far less likely to fall for phishing emails.
- Security awareness training - All members of staff should be trained in spotting phishing emails, verifying unexpected payment requests and reporting any email they receive that they deem to be suspicious.
- Simulated phishing - A regular simulated phishing programme helps train users to spot phishing emails in their own inboxes, and keeps the workforce alert for the risk of phishing throughout the year. In addition, it'll help you gauge the risk posed to your business.
- Principle of least privilege - Ensuring that employees have access to the minimum sensitive data they need to carry out their role, and that only employees who need to have access to company funds can pay them out, helps reduce the potential impact of any CEO fraud scam.
Start combatting CEO fraud today...
CEO fraud has a high success rate in defrauding companies of all sizes due to its authority-driven nature. Without the right training and testing solutions being implemented in a business, it is only a matter of time before an employee falls victim.
Regular security awareness training and phishing simulations can help save your business time and money that would otherwise be spent on dealing with breaches, and protect your business' reputation in the long term.
Grab your free 14-day trial of the usecure human risk management platform today.