CEO Fraud (also known as Business Email Compromise (BEC)) is one of the most devastating attacks for businesses to come under, and if you’re in a management position, it’s highly likely that you’re a target.
CEO Fraud or BEC is a sophisticated attack, whereby cyber criminals target businesses of all sizes, leveraging social engineering to carry out their deeds. The objective of CEO Fraud is to coax staff into carrying our bank transfers to fraudulent bank accounts. There are three methods of attacks cybercriminals use with CEO Fraud, including Phishing, Spear Phishing and Executive Whaling.
Attackers invest the most time on Spear Phishing and Executive Whaling attacks, because they’re going for the big bucks here. It’s all about finding the right people within organisations to prey on; spying is the key ingredient to these attacks. They gather information about employees from watching their interactions, from how they behave, to how they communicate and who they communicate with. They even go as far as finding their targets online through corporate websites, social media accounts, search engines, and in some cases going onsite to take photos. However they can gather information to use in these attacks, you can bet they’ll do it.
Working with the end goal of better understanding their target’s work environment, relationship with co-workers, upcoming business trips, even down to their family and personal hobbies; the more the cybercriminal can discover vulnerabilities and carry out an attack that is convincingly credible, the higher their chances of success.
The reason cybercriminals spend so much time on these attacks is because unlike regular Phishing emails, which can be sent periodically with the hope of catching people off guard and getting small wins, Spear Phishing and Executive Whaling attacks only have one chance of succeeding, because of course, if any questioning happens in person, it’ll quickly be game over for the cybercriminal.
So who are the high-risk targets in your company?
- Chief Finance Managers (CFOs)
- CEOs / Top Level Management
- HR Managers (given their access to valuable / sensitive information about employees)
A successful Spear Phishing or Executive Whaling campaign yields an average of $200,000 AUD, with the U.S. FBI reporting that based on financial data, Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds; however, financial institutions in the United Kingdom, Mexico and Turkey have also been identified recently as prominent destinations.
The FBI also cited that Real Estates were among those most targeted with these scams, and noted that the international financial loss to attacks of this nature has been close to $4 billion in the last two years alone.
Cybercriminals can quite easily alter an emails ‘From’ address and ‘Reply-to’ address to make look legitimate – and with their carefully curated social engineering, they’re able to fool even the highest ranking professionals into quickly clicking a link, or transferring funds to places they unknowingly shouldn’t.
It is essential that businesses do their diligence in educating staff on the signs that they’re being targeted. In implementing training within your organisation, you can quickly flip your team from being your biggest vulnerability, to your strongest line of defence.
Here is a recent blog post we detailing signs you’re being targeted by a Phishing email, and how you should handle it. We’ve also put together further information on Security Awareness Training for you here.
We’re always looking for ways to keep companies safer. Sign up to our newsletter to stay in the know, and learn about the latest scams, solutions we’re releasing to combat attacks and tips on keeping your organisation protected.