Perhaps you have heard about CEO fraud, Whaling or Business Email Compromise? Did you ever bother to know what it is? This website will focus on all what is CEO fraud, its definition and meaning, statistics, examples and interesting cases of CEO fraud, its impacts on victims, and how this impersonation fraud can be detected and prevented.

What is CEO fraud? CEO FRAUD PREVENTIONCEO fraud (Whaling or Business Email Compromise) is the most recent generation of cyber crimes. It involves impersonation of senior business managers, so not like the name implies soley C-level executives, using social engineering to persuade employees to transfer their business money under the auspice of acceptable business intent and trust. Probably this sounds unbelievable to you, but a recent report released by the FBI revealed that state attackers stole approximately $215 a few months to January 2015 with these ceo fraud emails and phishing practices.  Besides, CEO fraud was witnessed recently when Ubiquiti, a networking vendor, suffered $46.7 million cyber-heist. Surprisingly, such scams are increasing each day, and this is a red flag to most business. Other public known CEO fraud case examples are Leoni AG, BBC, Lifelock and Space. Monitoring studies and analysis of thousands of emails for CEO fraud BEC schemes, hackers most of the times use the CEO in as their prime target for their attacks. The following organization roles are mostly targeted: CEO 31%,  President 17%, Managing Director 15% and General Managers 4%.

Forms of CEO Fraud

The attackers usually rely on two primary techniques to initiate CEO fraud.

  1. Compromising the senior employee’s email accounts

Those intending to commit the CEO fraud can achieve their objectives by compromising the email accounts belonging to the senior employee. For example, they can hack the email accounts and then persuade the junior employees to transfer company funds to other accounts. Besides, the login information can be stolen then used by such malicious individuals to commit CEO fraud.

When this happens, the hackers can easily send emails from the senior employee’s email account, and it will be hard for the junior employees to suspect a fraud. By the time they will realize someone is stealing from the company, the business will have lost a lot of money.

  1. Registering a domain that is similar to the business’s domain

This form of CEO fraud can also be known as typosquatting and impersonate a senior individual in the business. Though this may sound less effective, it still works. After all, not everyone is always keen on the spelling and pronunciation of various words. For example, it is easy to misread Softcat for Sotcat, and surprisingly, this is what perpetrators utilize.
ceo fraud email scam fraud

Besides, attackers tap into social networks to tailor the emails with heightened sophistication. This new height of precision is far a wail from the advanced free fraud scams that involve dignitaries and those who have won lotteries. Such cases became so common a few years ago and are probably the origin of CEO fraud.

The concerning trend behind CEO fraud

CEO fraud isn’t fraud organized by CEOs as most people might think. It’s a crime conducted by fraudsters who tend to impersonate CEOs to trick clients to sent payments to fraudulent accounts. Such fraud can take various forms and sometimes it’s hard for anyone to notice that there is fraud. For example, a buyer might have been making electronic payments to an overseas vendor. Then, he later receives an email from the vendor to make payments to a different account due to problems with the previous account. This makes it difficult for the overseas vendor to notice the change and the client will end up wiring the funds into fraudsters’ accounts.

Another emerging trend in CEO fraud targets the employees. For example, if the fraudsters succeed in compromising the email accounts of a senior employee in an organization, they may authorize funds transfer perhaps to pay taxes. If the junior employee isn’t careful, he will end up wiring the funds into the fraudsters’ pockets.

The impact of CEO Fraud

As said earlier, fraudsters tend to steal from a company. Therefore, such an action can cripple a company’s financial sector, and in the worst case, it can even render a company insolvent. In the recent past, various companies have lost millions of funds, and this has compromised their financial strength.

How can CEO fraud be recognized?

If you are not careful, you may not detect CEO fraud in your organization easily. The following are some of the indicators of fraud.

  • Communications that are only and soley restricted to email or telephone correspondence instead of video conferencing or face-to-face meetings and communication.
  • Extremely urgent fund requests and the requester is reluctant to verify his or her identity. Recent study show that CEO fraud emails subject lines contain in most cases keywords like Request For {date}, Transfer,  Request, Urgent and Transfer Request. Such requests might involve some big chunks of money that should always ring a bell with you.
  • Fund transfers that don’t follow the right standard and company approved procurement process.

What can companies do against it?

Keep in mind that CEO fraud can cost a company millions, if not billions. Therefore, it’s advisable for every organization to come up with a strategy to ensure that they will never suffer this problem.  We all know that you can counter the cyber threats using exclusively technological measures. However, to counter CEO fraud, you will need something more than technological measures: you will need human intervention. For you to protect your business from CEO fraud, here are some of the measures you may need to put in place.

  • Security awareness training
    One of the ways of ensuring that you will never suffer CEO fraud is by ensuring that all your employees understand this security threat. In fact, every employee should be aware of any related threat and cognizant of it in their daily tasks. You should also emphasize this awareness to your employees who are responsible for transferring funds in your business.
  • Have robust funds transfer processes
    To stay away from CEO fraud, you will need to tighten up your fund’s transfer procedures and standard procurement processes. Where possible, you can take it all to ISO standard procurement processes but at least two-factor authentication where the requester will need to be called first especially if the funds will have to be sent via email. This is similar to the four eyes principle where each transfer is verified by a second person by default without questioning. This will raise awareness within the company and sets the required mindset in today’s context of cyber-security. With that in place, it will be more difficult to bypass security measurements and for you easier to raise any form of attempted CEO fraud to the surface.
  • Find out who owns similar domains as that of your business
    As said earlier, those intending to steal from your business can easily register a domain similar to yours. Finding out who owns a domain similar to yours can help you spot the CEO fraud easily and take the appropriate measures.
  • Report any incident of CEO fraud immediately to law enforcement
    All victims of cyber crime in general are encouraged to report such incidents to the police and authorities in the country the incident was been detected. The more quickly a cyber crime or phishing scam is reported, the sooner law inforcement can intervene, cooperate, catch an offender and stop the potential victimization of individuals and businesses.

In need for support or additional information? 

CEO fraud is real and its happening today. It’s not a fairy tale. Therefore, you will need to take the necessary steps to cushion your business from such cyber attacks.

Have you encountered a scam? Whether you were a victim or were able to avoid it, we want to hear your story. FILE A COMPLAINT Or continue to for more information and news on CEO scams, prevention tips, or sign up for our alerting service, and more.

Don’t forget to join and like our active Facebook Community with security experts and interested people in topics like CEO Fraud.