CEO fraud: Types and identification techniques

The minute you receive an email from your boss, you're looking to respond right away. Because honestly, doesn't everyone want to look good when it comes to their boss? It's common knowledge that an email from higher management sets the gears in motion and elicits a response within a fraction of the time that's taken for emails from other employees. This is exactly the mindset cybercriminals take advantage of in the constantly evolving age of cyber threats. 

With cybersecurity solutions becoming smart enough to detect and thwart the security concerns brought about by threat actors, hackers are getting smarter in creating new attacks. To come up with attacks that go undetected by security solutions and evade the attention of human eyes, cybercriminals use a mix of phishing and spoofing techniques. These techniques, with the help of modern AI tools, ensure that the attacks attain the desired outcome. 

One such attack trend that has been providing intended returns is CEO fraud. It preys on the excitement and anxiety employees feel when they receive an email from their CEO or any C-suite employee. According to the FBI, CEO fraud is now a $26 billion scam. 

Organizations need to follow a structured approach to combat this cyber threat, for which an understanding of how cybercriminals propagate this attack is required. In this article, let's delve into how CEO fraud occurs, the common targets of these attacks, and tips to protect your company from these attacks. 

What is CEO fraud?

CEO fraud, otherwise known as VIP fraud or whaling, refers to the practice in which cybercriminals make use of phishing techniques to nudge their target into revealing sensitive information or performing a particular action by impersonating the CEO of a company. While the most common executive impersonated is the CEO, depending on the nature of the attack, threat actors might impersonate CFOs, COOs, or other C-suite authorities as well. 

High-level executives of companies are impersonated in this kind of phishing attack since they wield a certain level of authority. Any email, request, or demand from them is always met. Additionally, there's a flurry of excitement amongst employees when they receive such an email, and they rush to respond immediately since they want to project a good image. This makes CEO fraud attacks successful and often very lucrative for hackers. 

While propagating a CEO fraud attack, threat actors conduct extensive research to identify the pattern of communication, the frequent contacts, and the CEO's relationship with employees in the company. By closely monitoring and determining this information, they craft an email that doesn't arouse any suspicion in the recipient, ensuring they go along with the request and make the attack successful. 

In recent times, due to the clever tactics used by hackers and the access to public information about companies, CEO fraud has led to high financial losses and leak of important organizational information. 

How does CEO fraud occur?

While the basic technique used in CEO fraud is impersonation of a higher-level executive in the company, there are different ways in which threat actors take over the identity of the executive. Having an understanding of the different ways in which these attacks come about helps prevent them to a certain extent.

Account takeover

An account takeover is a cyberattack technique in which the cybercriminal gains access to an account they're not authorized to use. They often get access to accounts either through leaked or stolen credentials or some other cyberattack that they've propagated. Threat actors take control of the accounts either completely or silently monitor and participate in certain conversations to ensure that the account owner doesn't revoke access. 

By taking over the executive's identity, the attackers have a higher chance of success because the email address is legitimate. This doesn't arouse any suspicion in the recipient and the security systems that are set in place by the company, making it one of the more dangerous forms of CEO fraud.

Domain and display name impersonation

In certain cases, domain and display name impersonation techniques can be used to make their way into employees' mailboxes and get a positive response. In this type of attack, the attacker creates a domain that looks similar to the organization's original domain name. With this lookalike domain, the attacker creates an email address that looks the same as the CEO's email address and also sets up a display name that's similar to the person they're impersonating. 

This makes the email address look legitimate, and the attacker sends an email that imitates the CEO's usual emails. If the email recipient fails to notice the slight deviation in the domain name, they continue to assume that the email is from their CEO. In a hurry to respond to the CEO, the recipient fails to check further and proceeds to take the action requested in the email. 

Generative AI

Generative AI is being used to perform many tasks quickly. AI tools have quickly become highly relied upon to get things done in a fraction of the time than usually required. Unfortunately, this also applies to hackers because the groundwork they need to put into a cyberattack is becoming easier. 

AI tools can create realistic cyberattacks by scouring the internet and finding all of the information that a hacker needs. By going through the company website, social media pages, and other relevant information publicly available on the internet, hackers formulate everything from the email address, username, conversation styles, and common requests from the CEO. These tools can even craft the perfect email, without any language errors, while following the executive's usual communication pattern. 

This makes the email look genuine. AI also helps identify the right target for an attack and adapts the attack in case the organization finds a way to spot and thwart these attacks. These provisions make AI a formidable weapon for threat actors and a powerful tool to create CEO fraud attacks.

Targets of CEO fraud

CEOs typically interact more often with a common set of people. These might be individuals who have a certain level of access to perform sensitive operations or someone who's gullible enough to believe the email is legitimate without having any second thoughts or going about checking it. Let's take a look at some of these common targets. 

HR teams: HR teams are commonly targeted due to their access to employee information and perks. These teams regularly interact with the CEO regarding employee benefits, recruitment, organizational policies, and other such overall company-related information. Because HR has access to distribute information and make announcements across the company, the threat actor tries to exploit this privilege by impersonating the CEO.

Finance teams: Finance teams deal with huge amounts of money. Anything from payroll management to vendor payments is done by the finance team. Cybercriminals target these teams to initiate fund transfers under the pretext of emergency requirements or a vendor payment not being completed due to unforeseen circumstances. With all money-related approvals in the finance team's hands, all it takes is one vulnerable employee who disburses the funds to bring down the company.  

IT personnel: Similar to the HR team's position, the IT personnel also have a certain level of command over all the employees in a company. With their ability to mandate software updates, machine upgrades, and other such important actions, they become one of the most common targets of CEO frauds. Because they also have access to all of the actions performed by senior executives and a high level of access to perform sensitive actions, they're one of the prime targets.

Other C-suite employees: Because threat actors look for employees who have privileges to perform sensitive actions, other C-suite employees and executives also make the cut. These organization members usually have access to view financial records, issue announcements, and send organization-wide emails. To abuse this power, a threat actor might pose as the CEO and convince them to take an action that furthers their attack. 

Business partners: CEOs are most often the face of a company. They might communicate with vendors or other businesses they're partnering with. To use this to their benefit, threat actors may take control of a CEO's account and request an urgent payment to be made. They usually create a realistic scenario to ensure their request is met. In certain cases, depending on the nature of the attack planned, they may ask the partner to share confidential business information.

New employees: Employees who've recently joined a company are often the most gullible. Because they may not be aware of the security protocols followed and the approvals required for a certain action, they're often the targets of most cyberattacks. The stakes are even higher with CEO fraud attacks because newer employees are more eager to prove themselves to their CEOs and earn a name in the company. 

Common CEO fraud scenarios

While the ways that threat actors trick their targets into believing a scenario and taking action can be very diverse, these scenarios mostly fall under a few categories. Let's take a look at some of them.

Fake vendor payments

Companies, especially enterprises, spend huge amounts of money on vendor payments. Threat actors see the potential to extract money from this situation and use it to their advantage in CEO fraud attacks. For example, a real estate company may have partnered with a logistics company for all of their delivery and pick up requirements. The company would have a payment cycle with the logistics company based on predefined agreements. 

If a threat actor assumes the identity of the real estate firm's CEO and informs their finance team that a payment to the logistics company is pending, the finance team has to make the payment to ensure that there are no dues. To convince the finance team about this, the hacker makes the email sound urgent and demands immediate action, and even accuses the finance team of faltering on the payment. These emails often match the timeline of the actual payment to make it seem more realistic.

Gift card scams

Gift card scams are another common premise used in CEO fraud attacks. Threat actors come up with a scenario where they demand the target organization's finance team to purchase gift cards from a reputed business. They claim that the cards will be used for employee bonuses or performance review gifts. In some cases, they may even claim that the executive they're impersonating has an important client meeting, and these gifts will be given to secure a deal. 

Because these scenarios could be completely legitimate, if the threat actor has hidden their identity well enough, the finance team or the email recipient goes ahead and purchases the gift cards and shares them with the threat actor. All details, including the gift card number, vendor, and any PIN details, will be shared. Even though the gift cards individually might be of small value, the cumulative value is high, and the hacker escapes without a trace, stealing the gift card details.

False mergers

Mergers and acquisitions are common in business scenarios. Any such activity involves huge amounts of money and large transactions from the business. This makes M&A a common scenario that threat actors use in CEO fraud attacks. By impersonating the CEO's identity, they may claim that the CEO is unreachable because they're in the middle of an important business meeting about a potential merger with a large company. 

To ensure that the deal isn't lost, they mention that a huge amount of money needs to be transferred immediately as a token of securing the deal. To urge the recipient to make the payment immediately, they'll even claim that there are other competitors who are acting quickly. Threat actors often do this when the CEO isn't easily available to make sure the recipient doesn't call the CEO for confirmation.

Document access requests

There are multiple different types of sensitive data across organizations. This includes patented designs, technologies, intellectual property, client information, contracts, financial reports, and more. Data is the new currency, and getting access to such sensitive information is a goldmine for threat actors. This makes fake document access requests another common CEO fraud technique. 

In this type of CEO fraud attack, the threat actor takes over the CEO's identity and claims that they've lost or don't have the privileges to view a certain document. If the attack is well hidden, the document owner proceeds to provide access because it's the CEO. Once they have access, they make copies of the document and use it to their monetary benefit. They may either blackmail the company for money or sell it to competitors who are ready to pay a handsome amount for the data. 

How can you protect your business from CEO fraud?

CEO fraud has increasingly become a cyberattack that we need to guard our organizations from carefully. While threat actors are uncovering smart ways to create these attacks, it's possible to identify the ways to protect your company from such attacks. Let's take a look at some of them.

Conduct extensive employee training

Conducting comprehensive and efficient security awareness training goes a long way in protecting companies from all cyberattacks. To ensure that your employees don't fall prey to such attacks, they need to know all about the latest cyberattack trends and their propagation mechanisms. This can be achieved by recruiting a security officer who's well versed in these tactics and getting them to conduct workshops for your employees. 

Apart from workshops, it's also important to conduct phishing simulations and see how your employees deal with such emails. While it's important that they don't engage with the emails, they should also report such emails to the security teams so that similar attack emails can be spotted and the relevant recipients can also be wary of them.

Identify the potential red flags

As part of the training conducted for employees, educate them about the potential indicators of phishing emails and CEO fraud emails, in particular. Knowing how threat actors trick them can help with identifying these indicators. Ask your employees to check for these specifics in every important email containing a data request or a sensitive action request. 

• Verify if the domain name in the email address matches with the organization's domain name.
• Check if the email address and the display name used are consistent with the CEO's usual email address.
• In the email header, teach them to spot the return path details and verify if they're consistent with the sender details.
• Even if an email demands urgent action, ask employees to take a minute to consider the legitimacy of the request.
• If these details seem legit, but if something is suspicious about the email, ask them to verify with the executive if the request is genuine.

Establish multi-layered approval systems

Threat actors propagate CEO fraud attacks in the belief that organizations wouldn't have approval systems in place for sensitive actions. For this reason, they often target small and medium-sized businesses. 

To ensure that your organization is well protected, establish multiple layers of approvals for transactions and sensitive information sharing. This way, even if an anomaly isn't detected by the targeted recipient, the higher officials will question the origin of the request and verify its nature. In such cases, there's a high chance that requests with malicious intent can be prevented.

Enhance security controls for the C-suite

Executives are always targets for VIP fraud attacks. By setting up protection measures for the accounts of C-suite employees, you can prevent account takeover. This includes setting a strong password, enabling multi-factor authentication, and alerts for any suspicious login behavior. 

Additionally, you can also use the domain name and display name spoofing prevention features available in most email security solutions to ensure that your company's employees only receive emails from their legitimate CEO. 

Use an email security solution

Email security solutions have been trained over years to spot anomalies. Having an additional layer of email security spots malicious emails with advanced content and intent analysis capabilities and ensures that such fraudulent emails don't make their way to your employees' mailboxes. 

Setting up these measures to protect your company from CEO fraud can help not just with identifying these attacks but also prevent them to a large extent. With improved threat detection capabilities, it's possible for all companies to stay ahead of threat actors and ensure their data and finances remain protected. 

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.