In an era where technological advancement has brought the world closer than ever, it has also opened avenues for cybercriminals to exploit unsuspecting individuals and organizations. We are seeing this a great deal at our company and at companies across the U.S.
Among the various issues that plague the modern landscape, one particularly insidious threat stands out: CEO fraud. Have you experienced this? CEO fraud, aptly dubbed “business email compromise” by the FBI, is a type of scam where cybercriminals masquerade as high-ranking executives, manipulating employees into executing purchases of gift cards, unauthorized wire transfers or revealing confidential financial data. The ramifications of this treachery are far-reaching, causing financial losses and reputational damage that effect the entire organization.
An example of a common type of business email fraud are emails that seem to come from the CEO. For example, an employee receives an email or text such as “Hey Joan, how are you doing? Can you please do a favor for me?” She will answer yes, of course. The response will be, “Can you run to the store and purchase some iTunes cards, 20 of them for $100 each, as I want to send them to clients. When you get back, send me the codes on the back via this email.” We had an intern who fell for it at one time. Once you send the information, the hackers can immediately cash these with no way to trace them. This deceitful scheme preys upon the trust and hierarchy within companies, jeopardizing finances and sensitive information with cunning impersonation and manipulation.
Disturbingly, the statistics reveal a growing crisis. According to the FBI, CEO fraud has grown into a colossal $26 billion scam. A 2023 report by Microsoft states that business email fraud continues to rise, with the FBI reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise, including leveraging residential internet protocol addresses to make attack campaigns appear locally generated. It’s an alarming trend that emphasizes the urgency of combatting this digital headache.
The methods employed by these cybercriminals are as cunning as they are diverse. Four primary strategies lie at the heart of CEO fraud’s success, each requiring distinct preventative measures:
- Phishing: A mass email blast, posing as reputable sources, is a favored approach. These messages often mimic the logos and tone of banks, credit card providers, law enforcement and more. Prevention involves educating employees about identifying telltale signs of phishing and avoiding hasty responses.
- Spear Phishing: A more personalized attack, spear phishing targets individuals or small groups, often using gleaned social media data. Countermeasures entail educating employees on privacy settings and cultivating a culture of skepticism toward unsolicited communication.
- Executive Whaling: This advanced tactic targets high-ranking executives with personalized knowledge of their roles and the organization. Defenses require heightened cybersecurity protocols and privacy safeguards for sensitive executive data.
- Social Engineering: By extracting information from social media platforms, cybercriminals craft convincing personas to manipulate victims. Organizations must emphasize privacy settings and raise awareness about oversharing personal and professional information online.
Beyond prevention, swift and informed responses are vital in minimizing the impact of CEO fraud. If a breach is suspected, a series of steps can mitigate further harm. Communication, both internal and external, is paramount, involving legal teams, law enforcement and potentially affected parties.
An easy but critical process to prevent such crimes is to check the domain, formally called, “the Domain Spoof Test”— where you can click on the sender’s email address to see what it is. Often email addresses appear to come from a known source, such as a CEO, but when you click on it, you can see that it came from a phishing attempt. Microsoft users can also right click on that email and report phishing attempts. This extra step could help others in the future, and its highly advised that each of us take the extra few seconds to do so.
Prevention remains the most effective armor against CEO fraud. Equipping employees with knowledge, fostering a cybersecurity-conscious culture and implementing robust authentication protocols are essential steps in safeguarding against this digital deceit.
In an age where information flows seamlessly, the rise of CEO fraud underscores the imperative of cybersecurity education. By acknowledging the growing threat of CEO fraud and committing to proactive defense strategies, individuals and organizations can empower themselves against the relentless tide of cybercrime.
The menace of CEO fraud is an urgent issue demanding attention from individuals and organizations alike. As the FBI’s alarming statistics show, this digital plague is on the rise, posing a grave financial and reputational risk to businesses globally. To effectively combat CEO fraud, we must understand its tactics, prioritize prevention through education and security measures and respond promptly and strategically in the event of a breach. Only by joining forces and sharing knowledge can we hope to thwart the ambitions of these cybercriminals and safeguard the digital realm for generations to come.
Tina Hamilton is founder & CEO of myHR Partner Inc., a Lehigh Valley human resources outsourcing firm that manages HR for clients in 41 states across the U.S. She can be reached at tina@myhrpartner.com.
Originally published in the Allentown Morning Call on September 8, 2023