How to Protect Your Organization Against Executive Fraud Phishing
In case you aren’t familiar with the term, Executive Fraud (aka “CEO Fraud” or “Business Email Compromise”) doesn’t refer to fraudulent activities by your CEO. Instead this emerging phishing/social engineering/hacking scheme attempts to get subordinates to send money or sensitive information (social security numbers, account data, etc) to a fraudster posing as a c-level executive (CEO, CFO, company president, etc).
Does it work? Absolutely. While most catch the trick before it’s too late, several don’t, and organizations have lost billions of dollars as a result.
As Bloomberg reported last year, the FBI has tracked over $12 billion in global losses from 78,000 companies in 150 countries to these scams since 2013, and the number of incidences each year has been steadily increasing.
1. Executive Fraud emails can look like:
“I’m out of the office right now, but I forgot to pay this month’s sprocket shipment bill. I need you to send ______ money at this account number immediately. Thank you.”
“We’re considering a new 401K plan for employees, please send me the records with social security numbers. I need to check some tax details before I sign off on the changes. I’m going into a meeting in twenty minutes, and need to have them in hand by then.”
“I need you to get something done. I’m in between something right now and looking forward to surprising some of the staffs with some gifts today, a couple was outstanding this last year (2018). I would like to share a couple of gift cards today to appreciate them. Let me know if you can get this done within the hour. I will like you to get me 5 pieces of iTunes cards of $100 value on each amounting to $500 in total, 5 pieces of target gift card $100 value amounting to $500, 4 pieces of Google play gift cards of $500 value also amounting to $2000, sometimes we’d sign up with the business gift card for distribution as rewards and incentives. This will be distributed fairly on all levels of management, don’t mention it to anyone. Advice if this can be done within an hour. Kindly take a snapshot of all cards showing the pin and have them sent to me as soon as possible.”
2. How does Executive Fraud work?
Executive Fraud can be built on several different tricks, depending on how sophisticated the attempt is. It could be as simple as a poorly-worded email sent from an unfamiliar email address with the name of a senior company official tacked on (likely gleaned from your website), or it could be far more insidious.
More advanced tactics include:
- In-depth research about your company to pick the officers being spoofed and their targets more carefully (aka “Spear Phishing”). This could involve following staff on social media to learn more about their writing style, seeking out corporate filings, or even faking their way into conversations lower in the chain of command to build ammunition for their attempt from the top.
- Email spoofing – making emails look like they come from an internal email address – if not the correct one for the person being faked, one that looks like it could be correct.
- Better Writing – Because people have been conditioned to question the authenticity of poorly-written emails (although often not as well as the IT department would like), sophisticated fraudsters put more time and thought into the pitch. Many of these emails emphasize a sense of urgency and the importance of the person supposedly sending them with the goal of getting the subordinate to send information or money before they think too carefully about what they’re doing.
- Hacking Email Accounts – What’s better than a spoofed email address and writing extrapolated from outside research? Being inside the fence and able to see everything. Hacking a top official’s email account (or, worse, their full computer) can give fraudsters access to the correct email address and signature as well as plenty of correspondence to read so their email blends in better.
Senior officers aren’t just juicy targets, they can also be more vulnerable to attack. Of all the members of your workforce, senior staff are the most likely to have laptops as their primary computers and the most likely to travel. That means their machines are often outside your company’s network defenses. There’s a good chance the machines will get used on unsecured networks, like those in hotels or airport lounges, making them more vulnerable to “man in the middle” attacks.
3. How do you stop Executive Fraud?
It may be impossible to stop people trying to commit Executive/CEO Fraud against your organization, but there are strategies that can prevent these attempts from succeeding.
Like all phishing attempts, the single most powerful protection tool in your arsenal is training.
- Establish and frequently reinforce a “think before you click” campaign, encouraging your staff to check email addresses, grammar & spelling, proper use of logos & company signature formatting. This will help defend against the unsophisticated ones.
- Establish firm practices about how sensitive information will be requested from the top. Make it very clear to all your employees that if proper channels and methodology are not followed, the request should be carefully checked via other means (like calling the officer directly), or even ignored until proper protocol is followed. This can stop a wide variety of more sophisticated attempts, possibly even including situations where the officer has been hacked.
- Institute a secure file exchange solution with 2-factor authentication. While a hacker may have gotten access to the executive’s email, there’s a good chance they don’t also have their cell phone. If sensitive information is sent using such a solution, the bad guys may get the message, but not the key they need to open the encryption. That instead will have been sent to the real executive.
Easy, Secure, Compliant – Get the Right File Exchange Solution for Your Organization
XM SendSecure is a cutting-edge secure file exchange solution that is designed to protect sensitive information within ephemeral storage (SafeBoxes) which will delete itself after a set period of time. 2-factor authentication is used to make sure the correct recipient is opening the encrypted files. Despite its robust protections, XM SendSecure is intuitively designed to be extremely easy to use, minimizing necessary training. Extensive automated recordkeeping helps ensure you organization can more easily comply with privacy regulations (regardless of your industry) and is prepared for any future audits.
Learn how XM SendSecure can slot into your existing workflows, boosting security while preserving efficiency.