CEO fraud can cost Danish companies a lot of money, so it's important to be aware of this sophisticated form of IT fraud.
Cyber criminals are getting smarter
Cybercriminals are constantly acquiring new tools and skills to make their cybercrime more and more sophisticated. For example, they have become adept at researching personal or confidential information about both high and low-level company employees. They can do this through publicly available information, such as Google searches or social media. They can use this information to carry out CEO fraud.
What does CEO fraud look like?
CEO fraud, also known as CEO fraud or BEC (Business E-mail Compromise), is a type of fraud that consists of fake e-mails or SMS messages in which the cybercriminals impersonate the CEO of a company.
The fake emails can sometimes be sent from a foreign email account that has the director's name. In many cases, the cybercriminals can hack the director's email account and send emails from it. In a CEO-fraud email, the cybercriminals ask an employee to transfer money to a specific account, often foreign bank accounts, or to pay a fake invoice.
The cybercriminals give the employee the impression that it is important that the specified money transfer or invoice payment is made immediately. In addition, they use their research on the company and the director to make the messages both credible and convincing. If the cybercriminals have hacked the director's email account, they can find legitimate invoices and change the bank details on them.
CEO fraud is hard to see through
One of the reasons CEO fraud is so difficult to detect is because of the fraudsters' thorough research. As well as finding sensitive information about the CEO and the company and incorporating it into their fake emails, they can also send out emails at times that increase the chance of employees falling for them.
Scammers often send out their fake emails in the summer, during holiday periods and around public holidays when they know the director and/or employees are not in the office. This makes it difficult for employees to confirm a suspicious email immediately. If some employees work at home around the holidays, their security routines are often challenged and they don't think as much about IT security.
Trustworthy style from a boss's email account
If the fraudsters have hacked the director's email account, they can mimic his or her language style and phrasing. Therefore, the fake emails can appear very credible.
Time pressure in the form of deadlines
In CEO fraud, fraudsters always give employees the impression of urgency. Often, there are short deadlines that pressure employees to react quickly and transfer the money. This is a common strategy in social engineering, as most feel they must react immediately to avoid negative consequences.
CEO fraud over the phone
As part of their fraud, cybercriminals may call up employees and impersonate the CEO. If employees do not know what the CEO sounds like, this can be a very effective technique to convince employees to send money immediately.
What do you do if you are asked to transfer money?
There are a number of tips on how to avoid CEO fraud as an employee or company officer. The advice covers all the things you need to be extra careful about. The advice applies both when you are in the office and when you are working at home.
Call your boss if you have any doubts
As an employee, you may be asked to transfer money or pay invoices. Before you transfer the money, make sure you confirm the request. Check with your manager to be sure. Do not reply or respond to the email until you are absolutely sure that it is a legitimate email.
Be critical of the sender
Always check the email address when you receive an email. Even if the email contains the name of the director, you should be extra vigilant about the sender. If the scammers have not hacked the director's real email address, they will try to impersonate it. They can do this by changing some letters in the email address or changing the domain.
When scammers use methods to make recipients think the sender is someone they know, it is called name spoofing.
Watch out for emails about transfers
It is always important to be critical of emails about money transfers, especially foreign transfers. If you are asked to transfer money to a foreign bank account, pay extra attention and always confirm the email.
It is beneficial for companies to have a procedure in place forn money transfers must be handled, e.g. there must always be two employees to approve transfers.
Inform employees about CEO fraud
All companies should inform their employees about CEO fraud and other forms of cyber attacks. In this way, all employees will be aware of the characteristics of CEO fraud and the associated risks. Train employees with awareness training so they are aware of IT security and all relevant cyber attacks that can affect companies, and what they need to be aware of to avoid falling for scams.
Watch for attachments or documents
If an email has an attachment or documents attached, extra care should also be taken not to download them immediately, as they may contain malware that will be installed on your computer when you download them.
What to do if you have been the victim of a director scam?
If you have been the victim of director fraud, you should contact your IT department immediately and then report it to the police. Although it is almost impossible to get the money back once it has been sent abroad, contact your bank to see if they can stop the transfer.
To avoid further fraud attempts, it is important to inform both employees and managers that the company has been the victim of phishing.
It is also important to scan all systems and devices as they may be infected with malware.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.