As our inaugural blog post, the TCecure team decided to focus on a topic we know is very relevant for many of our clients: information security in the workplace, especially surrounding business email compromise and social engineering. Specifically, CEO fraud, an increasingly common scam. Here, we’ll explain what this scam is, how to recognize it, and how to protect your organization from the painful fallout of successful CEO fraud and related social engineering scams.
What is it?
CEO fraud, or Business Email Compromise (BEC), is a scam where a cybercriminal uses phishing and social engineering to dupe company employees into sending money or employee information. The scammer first mimics
an important executive’s email address to send a message to an employee in HR, IT, Finance, or the Executive team. All too easily, an unsuspecting employee will fall for the need to quickly comply with an executive’s request, processing an unauthorized transfer or sending out confidential tax information and inflicting irreparable damage.
Main Components:
- Phishing email or message to a high-risk employee in the position to make money transfers or share employee data. This is called spear phishing when the scammer does research to target a specific person or institution. Business email compromise is when this is specifically targeting a business, like with CEO fraud.
- Impersonation of a CEO or other high-level executive, called executive whaling, that may include company or event details designed to make the email seem authentic.
- Urgency, request for a favor, or other situation that discourages the recipient from validating the request before acting. This is a critical part of social engineering scams.
- Money or Tax Information: The sender asks the employee to transfer money, protected information, or other assets to a different account than usual.
CEO fraud is a $26 billion scam, according to the FBI’s Internet Crime Complaint Center (IC3), and affects all types and sizes of businesses. This kind of scam is increasingly common as more and more businesses rely on email, indirect communication, and remote connections to operate.
How do I prevent it from happening to me?
Knowledge is power! The first step is understanding how business email compromise works and introducing skepticism into any unusual request for money or protected information.
It goes without saying that you should abide by all your company’s security protocols and make sure your accounts and devices have the latest security updates. Never share your information or bypass security policies.
When money or critical information is at stake, take the extra 30 seconds to verify the email address, domain, names, and URLs. Check in with someone else, like your supervisor or IT, before complying with unusual requests – no matter how urgent.
How do I stop social engineering at my business?
If you’re an executive, CEO fraud social engineering can be especially worrisome. How do you effectively protect your assets without having employees question your every request? Follow these 3 of 20 important control steps and best practices by The Center for Internet Security (CIS) to ensure your company doesn’t fall victim to this expensive scam:
- Establish and maintain strong security policies, software, network access rules, and protections, especially for high-risk employees like those in HR or Finance. Ensure that only fully supported web browsers and email clients can execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. To lower the chance of spoofed or modified emails from valid domains, implement more browser and email best practices.
- Implement a Security Awareness and Training Program so your staff can spot a scam a mile away. Perform skills gap analysis to understand the behaviors staff aren’t adhering to and use this information to build a baseline education roadmap. Train the workforce on how to identify different forms of social engineering attacks and insider threats, such as phishing, phone scams, and impersonation calls using on-demand, live, or custom training like CySkills.com.
- Establish and abide by financial and information transfer policies that require validation or other security steps. The more consistent you are, the more concerning one of these out-of-the-blue requests will be to the recipient.
The TCecure team specifically works with small and mid-size companies (SMBs) to configure and implement security controls with prioritized set of actions. We also empower people and businesses with good cyber defense habits to significantly increase cyber readiness through security training and awareness. Visit CySkills.com to learn more about our free and low-cost cybersecurity training for businesses.