CEO fraud
CEO fraud, also known as whaling, is a hot topic alongside ransomware. This is partly because many organisations are required to have their employees work from home as a result of the Corona pandemic. The primary considerations for many organisations are continuity of service and ease of use for employees to maintain access to systems. As a result, certain checks and balances (unintentionally) no longer apply or systems become vulnerable, making it easier for cybercriminals to infiltrate certain business processes.
In short, CEO fraud is a type of fraud in which a company employee believes they have received an e-mail from a manager or director asking them to make or transfer a payment. Of course, this does not involve the actual manager or director, and the payment is made to a so-called money mule or an account under the influence/management of the cybercriminals, after which the amount is redirected to other accounts.
Despite the attention this form of cybercrime has received in recent years, it still remains a major problem, in part because it continues to evolve. After all, spelling errors in e-mails have been reduced or are even absent, and the layout of an e-mail/invoice is more credible because people use templates from e-mails or invoices found online. Social engineering is also more devious due to the amount of data that can be found about companies or employees online.
Since the Corona pandemic is not yet behind us and working from home has become the new norm, it is expected that by 2022 this lucrative form of Business E-mail Compromise will be frequently exploited by cybercriminals to achieve their goals.
In addition to identifying a fraudulent e-mail through certain characteristics, discussing the company culture and continuously improving the established business processes is also very important.
Corporate culture
One of the main reasons CEO fraud is successful for cybercriminals is because it uses the human factor. A request is sent on behalf of a high-ranking person, but the victim to whom the request is sent is also deliberately selected by cybercriminals. This takes into account payment authority and, for example, the period of time someone has been working for the organisation. In a hierarchical organisation, it is often considered too scary to speak to someone in a higher position, which increases the likelihood of success.
In the Corona pandemic, many people started a new job without having met some of their colleagues in person (due to working from home). This causes reports/alerts to fail because people do not know the correct procedure, they are less likely to ask for help or they do not want to disturb a colleague in their absence.
It is important to create a corporate culture where employees feel safe enough to report potentially fraudulent e-mails. Make the issue negotiable by explaining the procedure for payments, what to do if in doubt and who to contact (internal communication). One option here is to reward employees for spotting and reporting such mails. After all, it costs a lot less money to give an employee a bunch of flowers than it does to transfer money to a cybercriminals' account. Of course, it is then also important that employees are given the 'tools' to identify this, for example through awareness training.
Business processes
In addition to creating awareness, clear business processes can also help with removing the uncertainty or fear of asking for help. This way, it can be established that:
- requests for payments or changes to account numbers should be verified not only via mail, but also through some other means.
- there are clear guidelines around billing. Who is authorised to approve the invoice, what account numbers are used etc.
- the four-eye principle is used. In doing so, requests for the transfer of funds should always be verified by two different people within the organisation.
- there is a department that can be contacted to check a mail.
In addition, taking technical measures can prevent employees from coming into contact with fraudulent e-mails. This includes properly configuring a mail server or mail service, but also applying VPN and/or MFA if one needs to access e-mail and/or payment systems from home.
All of the business processes mentioned should be regularly reviewed as well (Plan, Do, Check, Act). Especially in the still ongoing transition from on-premise to remote working, it is important that established business processes are and remain realistic and achievable.
DataExpert helps
As mentioned earlier in the article, an important step in combating CEO fraud is creating awareness among employees. DataExpert offers a Cybercrime and Cyber Security Awareness workshop where different groups of employees are made aware of cybercrime and how to act. Want more information on this? Click here.