CEO fraud or business email compromise is one of the most consequential cyberthreats facing today’s companies. The tactic is simple: Scammers simply impersonate an executive or known supplier via email and trick users into divulging sensitive information or conducting direct wire transfers by using accurate addresses, realistic invoice templates, and colloquial language.
According to data from the FBI, 40,000 victims of CEO fraud lost over $5.3 billion
between October 2013 and December 2016. In a recent webinar
, Dena Bauckman, Director of Product Marketing here at Zix, discusses how organizations that understand inbox vulnerabilities can create a more comprehensive cybersecurity strategy and avoid CEO fraud.
Guarding Against CEO Fraud
These attacks usually start when a scammer obtains the email login credentials for a middle manager. Once able to log in at will, scammers can monitor all ingoing and outgoing inbox messages. Those messages offer a gold mine of details, revealing supplier relationships, payment details, account structures, internal hierarchies, and the company’s communication style. For example, the Austrian aerospace manufacturer FACC lost $47 million
to CEO fraud when a hacker posing as former CEO Walter Stephan duped an employee into wiring the money to an acquisition project that didn’t exist.
Because of their emulative capacity, their highly-targeted nature, and the fact that they rely on social engineering rather than technical trickery, these cyberattacks can be missed by outdated cybersecurity approaches. Even worse, victims — often an organization’s last line of defense — have a very difficult time identifying such attacks. In sum, every aspect of these cyberattacks is designed to bypass the various roadblocks organizations often rely on to protect their communications and finances.
Ultimately, then, the only means of protection is a multi-layered strategy that incorporates both technical and nontechnical solutions that can account for the diverse and dynamic nature of CEO fraud.
- Multi-factor authentication and email encryption. With the inbox being one of the most valuable and vulnerable commodities in your organization, protection against CEO fraud and other types of BEC threats starts there. Multi-factor authentication can prevent unauthorized access to an inbox and reduce the scammer’s source of insider information by preventing access to your communications. Even if a scammer does intercept email communications, then policy-based email encryption can ensure that the sensitive information contained within the messages and attachments is secure. As well, and to ensure security within the inbox, organizations can implement end-to-end email encryption.
- Targeted threat protection. Organizations that rely on static cybersecurity protections fail to account for the evolving threats and to adapt security measures needed to combat today’s dynamic cyber landscape. Instead, you need a solution that can learn to detect these threats — one that goes beyond basic anti-virus and anti-spam systems. For instance, you need a system that can identify spear-phishing emails and other malicious messages.
- Comprehensive employee training and wire transfer verification. Scam emails, while good, aren’t perfect, and employees who are trained to look for red flags can often learn to spot the inconsistencies before falling victim to malicious requests. Moreover, requiring all wire transfers to be verified and authorized by an independent party can add another layer of verification that helps ensure requests are legitimate even if a scam email makes it to the inbox.
With the rate of losses due to CEO fraud jumping by 2,370 percent
between January 2015 and December 2016 — a percentage that includes 3,000 victims at the expense of $346 million — this threat isn’t going away. And while there’s no one method to prevent these attacks, organizations that invest in protection by focusing on a comprehensive cybersecurity strategy will be able to avoid paying a lot in losses down the road.
For a deeper dive into this topic, watch the archived webinar Colleague or Criminal: Avoiding CEO Fraud