Detecting and preventing CEO email fraud

Detecting and preventing CEO email fraud

The Federal Bureau of Investigation (FBI) reports that during the past three years, over $3 billion has been lost due to CEO email frauds, with approximately 22,000 victims. Other analysts assess that 400 businesses are targeted by cybercriminals on a daily basis. What is CEO Email fraud, and what can be done to detect and prevent cybercriminals engaged in this social engineering trend?

In August 2015, Ubiquiti Networks, a San Jose, California-based networking equipment company, disclosed in corporate filings that it had lost $46.7 million in a CEO email fraud scheme. Cybercriminals had impersonated key executives and requested wire transfers from employees within Ubiquity’s finance department, resulting in fraudulent wire transfers totaling $46.7 million. This is not an isolated incident.

In January 2016, the Austrian aerospace parts maker FACC AG, was targeted by a CEO email scam, in which impersonators posed as the CEO in an email and asked members of the accounting team to transfer money to an account for an acquisition project. Cybercriminals made off with approximately $50 million. In February 2016, Crelan Bank of Belgium lost $75.8 million in a similar social engineering scheme.

CEO email fraud is one of the least sophisticated social engineering schemes. It is low cost, low risk, and can generate high rewards. The success of the scam depends on how well cybercriminals can research their victims, and identify if and when key decision makers are out of the office.

Tactics, techniques, and procedures

CEO email fraud has three components. The first component is the online reconnaissance phase, in which cybercriminals use the web and social media to research their victims, including the key decision makers within a company’s financial department, human resources, and payroll. Threat actors collect actionable intelligence by scraping company email addresses and reviewing business structures to identify main stakeholders and chains of command. Insight on acquisition plans and upcoming transactions are also collected to serve as bait in the email.  

In more sophisticated CEO email frauds, executives’ inboxes are compromised with emails containing malicious links that install keylogger malware, designed to mine correspondence and company data and gain a better understanding of money transfer protocols.

The second component of the CEO email fraud makes use of the gathered information to craft a convincing email message. Cybercriminals buy a domain name and register email addresses that are almost identical to the targeted company and its executives. Employees at subsidiaries of multinational corporations are regularly targeted, since employees working for local branches are less familiar with senior managers working at the holding company.

An important aspect is timing. Threat actors monitor social media accounts (LinkedIn, Facebook, and Twitter) belonging to executives, the executive’s family members or corporation for any disclosure of future travel plans, meetings, and/or vacations. Once it has been confirmed the CEO is unavailable, threat actors exploit his or her absence and send emails to targeted employees that find themselves unable to verify the authenticity of the email, as the executive is unreachable. In fact, many employees who receive an email from a senior executive that requires immediate action often act as good employees and promptly complete the request without questioning the content.

The third component is the actual wire transfer. Criminals often provide instructions for wiring money, along with account details, directly via email, but more elaborate schemes instruct employees to wait for further instructions from a fictitious company lawyer or advisory firm. FBI reports that almost 90% of wire transfers are sent or redirected to accounts in China and Hong Kong. Once the transaction has been initiated, the victim has 24-48 hours to attempt to cancel the transaction and recover the money. In other words, a victim has very limited time to realize the mistake, which is another reason for why CEO email frauds are increasingly popular.

CEO email fraud

An example of CEO email fraud. Source: PWC

Detecting CEO email fraud

The FBI estimates that since January 2015, there has been a 270% increase in identified victims and losses in every U.S. State and in at least 79 countries.  CEO email fraud is on the rise and the success rate of such cybercrimes requires companies to be able to detect frauds and take preventative measures to avoid becoming a victim.

Employees receiving urgent wire transfer requests or requests to release sensitive personally identifiable information such as W2 wage and income statements should carefully examine the email header before opening and take action. Inspect the “From” field that may contain the name of the CEO while further inspection of the email address shows that the address is an outside email account or a letter may have been replaced with a number or underscore. Also, the “From” address could be almost identical to the executive’s, as cybercriminals tend to buy look-a-like domain names and set up fake emails that are almost identical to the executive they target.

Pay attention to where the CEO or sender is located when the email arrives. Does the request come in when the CEO is on vacation, in a business meeting, or traveling? Cybercriminals engaged in CEO email fraud act when their target is out of office. Also pay attention to the subject line of the email. Symantec reports that cybercriminals resorting to CEO email fraud often use a single-word subject line that regularly contains any of the following words: request, payment, urgent, transfer, sensitive, and inquiry. Fraudulent wire transfer requests often require immediate action, which is intended to prompt a quick and sometimes rash response by the receiver of the email.

Preventing CEO email fraud

Businesses can take a number of steps to prevent CEO email fraud. Make sure to implement policies and procedures to handle emails requesting wire transfers or the release of sensitive personally identifiable information. An effective approach is to verify that the request is authentic is to confirm receipt of the email by phone. Be aware that contact information in the email, such as phone numbers, can be fraudulent as well. Therefore, use a phone number listed in the internal business directory when verifying the transfer.

Use a two-factor authentication in which approval of wire transfers will require two employees to authorize a transaction, which increases the chances of detecting the scam. Education is a key element and training employees on what fraudulent email requests look like can reduce the risks of becoming victim of financial losses and reputation-related damages.

Lastly, make it difficult for cybercriminals to craft an advanced spear phishing email by minimizing the sensitive information that is available on executives online. Remove any sensitive online disclosures such as work emails and phone numbers. Avoid mentioning the future whereabouts of company executives on social media accounts and company web pages. Executives can also hide their updates and posts from public view by increasing privacy settings on social media accounts.  Marketing departments can also buy domain names and remove the circulation of domain names that are variations of the company name or key executives to prevent impersonation.  

Low costs, low risks, and human error set the stage for continued growth

CEO email fraud will likely continue to grow for an unforeseeable future. The barriers to enter and commit these frauds are low and require little technical expertise. Access to sensitive information of executives available online will likely increase as a new generation of executives that are computer savvy and frequent social media users replace an older generation of executives; thus enabling criminals to research and increase the likelihood of capturing more sensitive information online than ever before.

CEO email fraud will continue to be attractive because the chances of getting caught are rather low. Criminals can easily obfuscate a message’s source by relaying the message through anonymous proxy clients or virtual private networks (VPNs), thus making it difficult to attribute fraudulent email requests to a specific individual

Despite technological advances to prevent social engineering schemes, such as CEO email fraud, the human factor and lapse of judgment is often the weakest link in the defense against CEO email fraud. Cybercriminals are aware of this and will continue to target employees that unknowingly will participate and help criminals facilitate fraudulent transactions.

Categories: Economics, Finance

About Author

Hans Mathias Moeller

Hans Mathias Moeller is a Senior Analyst with a cyber intelligence company in Washington, DC. He specializes in supporting multinational corporations and executives with security risk management solutions and investigations. He earned two Master's Degrees in International Security Studies and Terrorism Studies from the University of St Andrews. His areas of expertise are security and technology-related topics, with a focus on North America, Europe, and North Africa.