Using a fake email to trick employees into fraudulent money transfers is a relatively simple way to rob a company with unsuspecting staff members. This tactic is also highly efficient—the FBI attributes more than $26 billion worth of losses to CEO fraud, which makes these attacks the highest-grossing type of cybercrime.
This article is a complete guide to CEO fraud that goes into all you need to know about this cyber threat. We explain how these attacks happen, go into different scam strategies, offer prevention tips (both for employees and C-level executives), and show what to do if you become a victim of CEO fraud.
What Is CEO Fraud?
CEO fraud is a type of scam in which a criminal uses email to impersonate an executive and fool a lower-ranking employee into performing an unauthorized wire transfer. The scammer pretends to be someone with the power to ask workers to make payments, such as the CEO, COO, CFO, or Head of HR.
A CEO fraud email does not always ask for a direct money transfer. A criminal can also order an employee to:
- Change an existing invoice's payment address.
- Share the business' bank or payroll info.
- Make gift card purchases.
- Disclose sensitive data that enables a criminal to blackmail or dig deeper into the company (such as client PII, tax statements, or company secrets).
CEO fraud caused $2.4 billion in losses to US businesses in 2021, equating to a third of the year's total cybercrime costs. Here's why these attacks are so effective:
- The pandemic and the restrictions on in-person meetings caused an increase in email use, creating a fertile ground for CEO fraud.
- The perceived difference in the hierarchy clouds the judgment of a lower-ranking employee. No one wants to upset or disappoint their boss, so people often do not second-guess requests coming from superiors.
- If a scammer tricks a human, the criminal bypasses all cybersecurity best practices, tools, and policies the company has in place.
- Compared to other types of cyberattacks, CEO fraud is relatively easy to pull off and (usually) does not require much IT skill.
While the $26 billion figure is frightening, the actual all-time cost of CEO fraud is likely higher. Many attacks go unreported as organizations often decide not to report scams that cost them small amounts of money.
Do not confuse CEO fraud with whaling, a phishing attack in which a scammer targets—rather than impersonates—a company executive.
How Does CEO Fraud Happen?
Every CEO fraud starts with extensive research. The attacker gathers identity details for (at least) two individuals:
- The executive they plan to impersonate.
- The person they plan to target.
The attacker researches employees by:
- Scrapping info from the company's official website, social media accounts, YouTube channel, etc.
- Gathering the info via social engineering tactics (e.g., pretending to be a salesperson over the phone and asking to speak to whoever's in charge of budgeting).
- Visiting the office in person (e.g., acting as a courier or attending a job interview).
The research phase sometimes lasts for weeks or even months while the scammer devises a plan. Once criminals spot a perfect opportunity, they approach the target via an email with a "fitting" request. Some common tactics are:
- Instructing the financial department to transfer money for a late invoice or fake merger.
- Asking HR to purchase gift cards and write them off as bonus expenses.
- Getting whoever's in charge of wages to pay an invoice to a fake account, typically for an employee who allegedly did not receive the previous paycheck.
- Contacting an accountant as a supplier and claiming that they changed their bank account.
Criminals use various tactics to fool employees, pretending to be executives, vendors, lawyers, etc. Most scams use urgency to pressure the recipient, like in this example:
Scammers did their homework in this imaginary example:
- The executive probably is currently in Florida.
- The "TCCO" might be a genuine supplier whose invoice is really due tomorrow.
- Fraudsters are using the sender's unique writing style, picked up by scraping social media or analyzing previous emails on a hacked account.
Attackers rely on various techniques to gather the necessary info and pull off CEO fraud. Let's look at the most common ones.
Spoofing an email means creating an email name almost identical to the address of the person you are trying to impersonate. Typically, the criminal alters the domain name slightly to mimic the corporate email (such as using "email@example.com" instead of "firstname.lastname@example.org").
The goal is to create a lookalike domain that causes visual confusion. If the recipient is not careful, these little changes easily go unnoticed.
Spoofed emails help an attacker perform research before launching a CEO fraud, but this technique also often enables a criminal to pull off the attack. If the scammer cannot hack or gain access to a legitimate email (which is a considerably more challenging approach), they will use a spoofed email to contact their target.
Planning for spoofed domains is only a small part of keeping business emails safe. Learn what else you must account for in our article on email security best practices.
Scammers send phishing emails to employees to "fish out" sensitive info by posing as legit sources, such as:
- Credit card providers.
- Delivery firms.
- Law enforcement agencies.
- The IRS.
Phishing helps a scammer to gather helpful intel for the upcoming CEO fraud. Alternatively, the phishing email can contain malware that infects the system and enables the criminal to hack the email account. The scammer then uses the address to either launch an attack or dig deeper into the organization.
If the phishing campaign succeeds, an intruder gains access to company accounts, calendars, hierarchy, and other data that gives the details needed to carry out the scheme.
Learn about different types of phishing attacks and see what your team should do to keep the business safe.
Whereas regular phishing campaigns target multiple users, spear phishing goes after one specific employee. The criminal uses this calculated attack to mislead the employee with a personalized storyline and either:
- Asks the target to reveal confidential info.
- Prompts the victim to click on a malware-infected link or attachment, after which the criminal hacks the account.
If a criminal manages to hijack an executive's account, there is no longer a need to use a spoofed email. The intruder then tricks employees by using the actual address, giving an apparent legitimacy to any request.
Email Account Compromise
Phishing is not the only method of hacking someone's email account. A scammer looking to pull off a CEO fraud can also get email credentials from:
- Brute-forcing the password with a specialized tool.
- Luring users to fake login pages through their private social media accounts.
- Guessing easy-to-crack passwords.
- Purchasing previously cracked credentials on the dark web.
- Stealing BYOD devices from employees while they are not at work.
- Hiring more tech-savvy criminals that offer Business Email Compromise (BEC) services.
Once scammers get their hands on an email account, they start sending credible scam messages to employees. They also get access to all previous emails, enabling hackers to analyze how the manager communicates and imitate their tone of voice or incorporate commonly used catchphrases.
Our guide to strong passwords explains how to create credentials that are easy to remember and impossible to brute-force.
Who Is at Greatest Risk of Being the Target of CEO Fraud?
Cybersecurity studies suggest that almost 77% of CEO frauds involve employees outside financial or executive roles, so "building a wall" around staff members who authorize money transfers is not a sufficient defense.
Organizations of all sizes will experience CEO fraud attempts at some point. Many times have CEO fraud attackers tried to fraud phoenixNAP employees by impersonating Ron Cadwell, the CEO and founder of phoenixNAP. That's why employee education should be the top priority of any organization.
Every employee is a potential victim of CEO fraud, either as the final target or a means to an end during attack setup. Here are employee groups considered valuable targets given their roles and access to funds or info:
- Finance department: Staff members who handle finances are prime candidates for CEO fraud. Criminals often target companies with sloppy policies that only demand an email from a senior position to initiate the transfer.
- Human resources: HR has access to every person in the organization and manages the employee database, so this department holds all the info necessary for successful CEO fraud. Criminals often include spyware inside a CV, send the infected doc, and hope that the recipient accidentally grants access to company data.
- C-level executives: Every executive team member is a high-value piece of a CEO fraud plan. These people hold financial authority within a company, making their accounts the go-to targets for anyone looking to trick employees into money transfers.
- IT department: The IT personnel with authority over access controls and password management are also common targets. If criminals steal the credentials of an IT manager, they gain entry to every part of the organization.
Did you know that an average corporation experiences over 700 social engineering attacks every year? Learn how to protect your organization in our social engineering prevention article.
Examples of CEO Fraud
Let's take a look at a few of the biggest CEO frauds to help you get a sense of how these scams happen:
- Toyota: On August 14, 2019, a scammer convinced an employee at the accounting department of Toyota's European subsidiary to transfer $37 million to a fake account. The criminal pretended to be a high-ranking executive and allegedly claimed that the company was not able to continue production without the funds.
- Pathé: France's independent film group lost $22 million in an internet scam in March 2018. Criminals sent several emails from the personal address of the company's CEO and asked targets to transfer funds to four different accounts. Allegedly, the scammer told victims that the funds were necessary for an acquisition of an unnamed Dubai-based company.
- FACC AG: In January 2016, Austria's biggest aerospace company announced that fraudsters stole $50 million from the company. The crook targeted the financial and accounting department with a compromised CEO account.
- Crelan: In May 2016, Crelan Bank became a victim of scammers who used CEO fraud to trick employees into unlawful money transfers. The company did not reveal the exact strategy used to fool the target, but the bank reported over $70 million in losses.
- Puerto Rican government: Corporations are not the only victims of CEO fraud. On January 17, 2020, Puerto Rico's Industrial Development Company lost over $2.6 million in a phishing scam. A crook posed as a beneficiary and asked the target to change a bank account tied to remittance payments.
Once cybercriminals make their way into your system, CEO fraud is not the only thing to worry about. A data breach is another likely scenario, which is just as dangerous to your bottom line.
CEO Fraud Prevention
Below are the most effective methods for countering the threat of CEO fraud.
Tips for companies
- Educate the staff about fraud tactics via regular security awareness training sessions.
- Require authorization for all transactions (plus double verification for any transfer over $5000).
- Create strict guidelines for changing payment details.
- Prepare a disaster recovery plan to ensure you react quickly in case of successful CEO fraud.
- Limit the info you share on official websites, job descriptions, and social media profiles.
- Run periodic penetration testing to see how the team reacts to realistic scam simulations.
- Ensure employees use two-factor authentication on email accounts.
- Enforce strict, zero-trust security policies and review them regularly.
- Ensure everyone uses strong, unique passwords and that they update credentials every few weeks.
- Set up anti-malware tools, firewalls, intrusion detection systems (IDS), and email filters.
- Use protocols to control email activity (domain keys identified mail (DKIM) and sender policy framework (SPF)).
- Impose extra safeguards on high-risk users (C-level executives, HR, Accounting, and IT staff).
- Register as many domains as possible that are similar to your company's domain.
Tips for individual employees
- Verify every payment and purchase request in person.
- Check out the sender of every email by seeing their full address.
- Scan every email attachment with an anti-malware tool before you open anything.
- Contact the security team whenever something looks off or suspicious.
- Do not share info on social media that help scammers figure out passwords (e.g., pet names, birthdays, high school names, etc.).
- Know how to recognize phishing red flags in an email.
- Hover over every link to examine the URL before clicking.
- Never download anything from an email sent by an unknown party.
How to Report CEO Fraud?
Here's a step-by-step instruction on what to do if you've been a victim of CEO fraud:
1. Contact your bank ASAP
- Inform the bank of the fraudulent wire transfer.
- Give them full details of the amount and where the money is going.
- Ask whether they can recall the transfer or intervene in some fashion (e.g., contact the bank on the receiving end and have them prevent the withdrawal or further transfers).
2. Contact attorneys
- Reach out to your legal team and inform them of the incident.
- Share all the facts related to the attack so that they start dealing with potential legal consequences.
3. Reach out to law enforcement
- Prepare a report for the officials with all relevant info (transaction details, date and time, email and IP addresses, accounts of previous phishing activity, etc.).
- If you operate in the US, contact your local FBI office and identify the incident as BEC. If you're in Europe, call Europol. Otherwise, reach out to the local police department.
4. Brief your senior management
- Call an emergency meeting of all executives.
- Brief the board on the incident, what steps you already took, and any planned further actions.
- Notify any third party that might face risk, such as a supplier or companies whose data you store.
5. Conduct IT forensics
- Have the security team investigate the breach and find the attack vector.
- Ensure the staff recovers control of all accounts and eliminates malware.
- After addressing the immediate concern, create a plan to prevent the same incident from reoccurring.
Unfortunately, companies recover less than 4% of fraudulently transferred funds. Consider taking out an insurance policy that covers you in case of CEO fraud (typically regarded as coverage for internal negligence or email impersonation, not as cyber security insurance)
Are Your Employees Ready for CEO Fraud Attempts?
No one solution guarantees 100% protection against CEO fraud. You must rely on a mix of technologies, employee awareness, and sound internal policies to combat this threat effectively. You also require an incident response plan to ensure the team is ready to react to a scam attempt. Otherwise, you risk getting caught off guard, which is a sure-fire recipe for suffering losses from CEO fraud.