Cyber Risk Aware Blog

Your Boss Just Asked For Protected Data... But Is It Actually Your Boss? Beware of Business eMail Compromise & CEO Fraud!

[fa icon="calendar"] Nov 9, 2017 6:00:00 AM / by Stephen Burke

Stephen Burke

There's a new type of cyber-crime on the rise, one which is not getting nearly as much public exposure as methods such as ransom ware: Business eMail Compromise and CEO Fraud. According to FBI statistics, Business eMail Compromise has seen an increase of over a thousand percent since 2015, and it is quickly growing to be one of the single most costly forms of attack a company can undergo. Worse, this is a style of attack which is based mostly in classic social engineering techniques.

While there are some electronic elements, it largely targets the human weak point in the security chain. So today, we want to talk about Business eMail Compromise and CEO Fraud, how it is accomplished, and how you can defend against them.

Understanding CEO Fraud & Business eMail Compromise

What is CEO Fraud? It's simple to define: An illegal attacker impersonating the CEO, President, or other C-level executive within a company, using their presumed status to gain access to privileged information such as customer data or bank accounts. These attacks can cost a company tens or even hundreds of millions of dollars, virtually overnight, such as when Ubiquiti Networks lost nearly $47M.

The irony there should not be overlooked: a networking company falling prey to a social engineering scam.

How Business eMail Compromise & CEO Fraud Works

For a Business eMail Compromise or CEO Fraud attack to be successful, the attackers usually need access to the victim company's network. Preferably, they have access to a high-level executive's email account. This could be accomplished through direct hacking, or through indirect means such as stalking the executive and stealing their phone or laptop. In the case of security-unsavvy execs, they might even successfully deploy phishing attacks to get access.

They could potentially also try to use a spoofed domain which is almost identical to the target company's domain. i.e., "Intel.com" instead of "intel.com." Note the dotless "i," taken from the Unicode Character Map.

From there, they then impersonate the executive via email, sending "orders" to various departments with nefarious ends. The obvious target would be financial departments, such as telling them there's a need for a rush payment of a large sum of money to a particular bank account. This might also be accompanied with a claim the exec would be unavailable for some reason, discouraging the targeted department from asking questions.

If the target department falls for it, the attackers get a huge payday. There are many examples of businesses and consequentially their banks being hit by this type of cyber-attack, with one recently reported attempt that was foiled which was for a multi-million-dollar amount.

Avoiding Business eMail Compromise & CEO Fraud

Like most social engineering scams, awareness is the key point here:

  • Brief everyone on the existence of CEO Fraud and Business eMail Compromise.
  • Encourage executives, as politely but firmly as possible, to brush up on their own attack avoidance techniques.
  • Discourage executives from ever saying "Just do this, don't contact me about it" since this sets employees up to be scammed.
  • Train employees to recognize sketchy-looking orders.
  • Establish an inflexible protocol for handling sensitive data, particularly payment requests, which is never deviated from.

Enhance Your Human Security with Cyber Risk Aware

Cyber Risk Aware conducts security training and simulated "live fire" attacks, boosting your workforce's ability to recognize and counteract fraudulent activity. Contact us to learn more!

 

Stephen Burke

Written by Stephen Burke