Cybercriminals do what they do for money. According to the 2022 Data Breach Investigations Report, 96% of data breaches were caused by external actors motivated by financial or personal gain. In order to maximize their return on investment, these cybercriminals take a business approach to their attacks, preferring their efforts to not be resource intensive or time-consuming so as to offer the highest possible payout.
With that in mind, the rise of business email compromise (BEC) scams is understandable. These attacks only require easily accessible data about the target and composing a convincing pretext that tricks the target into handing over funds. According to research, CEO fraud scams, where criminals pretend to be a company’s senior executive, increased by 29% in 2021 with total losses increasing by 165%.
By protecting executives’ information and reducing their digital footprint, however, companies can mitigate CEO fraud risk.
What is CEO fraud phishing?
A CEO fraud phishing attack occurs when cybercriminals use email to impersonate a senior executive, like a chief executive officer (CEO), chief financial officer (CFO), or chief operating officer (COO). Using a spoofed email address, the cybercriminal sends emails to employees asking them to authorize a funds transfer, like a vendor payment or reimbursement for travel.
The scammers target people who would normally receive emails from the executive. To define those people, cybercriminals use social media websites, like LinkedIn, so that they can create a list of target employees and obtain information that insiders would know.
How does CEO fraud phishing work?
CEO fraud phishing is an attractive form of attack for hackers because; the outcome is potentially lucrative, and the investment only requires a little online research and some simple social engineering.
All cyberattacks begin with reconnaissance. During this phase, attackers research a company’s executives using publicly available information. For example, typical reconnaissance might look like this:
- Finding an executive using the company website’s “About Us” page
- Identifying mid-level employees across finance, accounts payable, and human resources by looking at the executive connections on social media sites
- Gaining a sense of the executive’s “voice” using published articles or videos of talks
Spoofing the email address
With this information, the cybercriminals craft an email to their intended target. If they have directly compromised the executive’s email, they will use the real one. More often, they create a fake or spoofed email account with an email address that is almost identical to the real one but has a misspelling or other slight change made to it. For example, if the real email address is:
The spoofed email might be something like:
If the criminals aren’t sophisticated, they may simply hide the fake email address behind a header, hoping that no one clicks to see if the address is legitimate.
Crafting the message
Using the research completed during the reconnaissance phase, the cybercriminals will craft an email to try to trick employees into taking action.
Generally, these emails have certain characteristics:
- Create a sense of urgency
- Establish a sense of secrecy/discretion
- Send towards the end of the day
- Ask for something unusual
The cybercriminals want to prey on people’s emotions, hoping that they won’t stop to think because they’re rushed or worried.
For example, cybercriminals might look for an executive who recently joined an organization. Since people working for the new executive don’t know the person well, they’re more likely to want to please a new boss and prove that they’re responsive employees. By sending it at the end of the day, the criminals know the employees are more likely to act immediately rather than wait for a response that might not come until the next business day, especially on a “time sensitive” matter.
How to mitigate CEO fraud risks
While cybercriminals won’t stop trying to scam people, you can take steps to protect your organization.
Implement and communicate policies
You should have clear policies that address how financial authorization requests will be made. For example, you could have a corporate policy stating that any request made by email must be approved verbally or otherwise by at least two other individuals with the requisite authority. By involving multiple people, you put additional risk mitigation controls in place.
Your cybersecurity education and cyber awareness training programs should provide clear examples of attempted CEO fraud emails. To reinforce your awareness training, you can run tabletop exercises with employees to see how they would react if presented with a real-world situation. For example, you might give them a copy of a real-world email fraud exchange and ask them what they would do differently.
Reduce executives’ digital footprints
Most people don’t realize how large their digital footprint is. Senior executives need to be visible because they act as the organization’s “face.” For example, they may be more likely to accept LinkedIn connection requests, viewing it as industry outreach or community building. Simultaneously, malicious actors scrape social media networks, and even a little bit of information about contacts, interactions, and work history can be used to successfully deploy a social engineering attack. It is therefore important to limit the amount of personal information that executives share online and to be aware of how the information that is available can be used in an attack.
Filter inbound emails
With the right spam filter, you can protect against malicious inbound emails. For example, you can set up filters that:
- Deny known malicious email domains
- Deny emails sent from IP addresses associated with risky originating countries
- Quarantine unwanted emails
- Filter email threats like malware or viruses
- Review headers for fake information
- Scan email content for spam
Protect against social engineering attacks by reducing your organization’s human attack surface
Your company’s human attack surface consists of all the personal and corporate data that is publicly exposed. While solutions exist to help address an organization’s external technical attack surface, there is only one platform that takes into account the human element and mitigates risks associated with employees’ digital footprints.
With Picnic, you get a complete picture of your exposed attack surface from the perspective of a cybercriminal and a complete picture of potential attacks before they happen. Picnic’s automated threat modeling allows your security team to instantly see who is most likely to be targeted in a CEO fraud phishing attack (or any other form of social engineering attack) and why.
Picnic automatically detects the social engineering risk revealed by your executives’ digital footprints and our technology works to remediate those risks continuously. VIPs have access to Picnic’s Executive Risk Reports, which plainly explain individual risk to each VIP. Our digital VIP protection services are designed to ensure that executives and their support staff become more difficult to target in an impersonation or phishing attack.
When it comes to CEO fraud, cybercriminals are looking for easy, data-rich targets. Picnic makes sure you aren’t one.