A Complete Guide to the CEO Fraud Business Email Compromise Phenomenon

“Hi, Jane – I’m on a conference call right now. I can’t talk on the phone but let me know if you got my text. Thanks.”

John Doe (CEO)

Chances are, you’ve either received a message like this or know someone who has. Business email compromise attacks (BECs) continue to increase as cybercriminals advance their techniques to ensnare as many victims as possible. Cyber attackers evolve social engineering tactics to take advantage of human interactions, manipulating employees into breaking standard security procedures and best practices to gain unauthorized access to systems, networks, and information. Even with traditional cybersecurity measures in place, these cybercriminals can penetrate an organization through its employees, often without their knowledge, making CEO fraud detection harder to spot.  

What is Business Email Compromise?

The FBI defines business email compromise as a “sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” These can be one of the most financially damaging online crimes, exploiting the fact that so many rely on email to conduct personal and professional business. 

The John Doe example above references a mass-scale CEO scam, a growing strain of business email compromise attacks that attempt to trick employees into thinking a high official at their company wants them to send money. Also known as CEO fraud, this particular tactic relies on a sense of urgency and authority while playing off employees’ desire to be helpful and do a good job. According to the FBI Internet Crime Complaint Center’s (IC3) Internet Crime Report, business email compromise schemes were the costliest attack, with an adjusted loss of approximately $1.8 billion in 2020. 

Especially amidst the move to a dispersed workforce, CEO business email compromise takes advantage of the various methods and tools many use to stay connected within an organization. Just a few years ago, business email compromise scams began gaining in popularity with the hacking or spoofing of the email accounts of C-suite members, with fraudulent emails requesting wire payments be sent to unauthorized locations. As these cybercriminals have grown more sophisticated, the scam has evolved to include other compromised or spoofed accounts (personal emails and text messages), tax information requests, and favors such as purchasing gift cards. The schemes only continue to evolve making CEO fraud detection harder to detect. Just last year, the IC3 observed an increase in the number of business email compromise complaints related to identity theft and funds being converted to cryptocurrency. 

If an employee falls for these tactics, it could do damage far beyond personal embarrassment. Providing passwords to bad actors, sending funds or sensitive data to an attacker, or opening the organization to ransomware through the click of a link can all have wide-reaching effects on the organization. 

We’re all human, and humans have emotions.
Learn the Emotions of a Social Engineering Attack so they don’t get the best of you.

How Cyber Criminals Leverage Social Engineering

Before conducting CEO business email compromise schemes, cybercriminals research to ensure the best chance of success. They will peruse the company website, social media pages, media coverage, and more to collect information on their target and spoofed persona. This research will include a variety of information, including:

• Names, titles, and email addresses of executive and high-level employees 
• Employees in finance, payroll, and HR roles 
• Company information or other notable events, projects, or news 
• New employees 
• Customers, vendors, or partners of the organization  
• Out-of-office notifications or personal social media posts about senior leadership being away

Cybercriminals use this information to target employees more effectively to convince them to click a link, send funds, provide login credentials, and more. With more employees working remotely, it has become more challenging to verify requests face-to-face, and new technology collaboration tools can also be spoofed to complicate the attack further. Just as the threats evolve, we must adapt our capabilities to spot and stop these attacks before they get too far. 

The Answer to CEO Fraud Detection

Outside of cybersecurity specialists, most people have never been taught cybersecurity – or they’ve only received very basic training. But employees are the first line of defense against cyberattacks, particularly those like business email compromise. As such, they should be enabled with the proper training and guidance to best prepare them for potential threats. Cybersecurity awareness training on an annual (or even quarterly) basis is no longer enough, as threat actors change frequently, and awareness dwindles after a certain period. Organizations must conduct frequent, engaging training – particularly with new employees, who are prime targets for business email compromise attacks – to encourage their team to be on high alert for any scams they might encounter. 

Further, cybersecurity awareness needs to include an overview of what information is being posted and how cyber attackers can use it against employees. For example, if your organization is hosting a charity golf event, let your team know there might be an uptick in illegitimate requests to buy gift cards and other scams tied to the event. Not having clearly defined and communicated policies can leave the door open for employees to fall victim to potential social engineering attacks, including CEO fraud. Many are simply unaware of how the information they post and the systems or tools they use can open themselves and the organization up to increased risk. 

Organizations also need clear policies and processes for employees to follow in the event of a potential threat. Developing an incident response plan for business email compromise is crucial to mitigate the possible repercussions of such an attack. The faster fraud is reported, the higher the chance any funds or data might be recoverable. This plan can also include elements such as a second form of verification before responding to any payment or data requests, either by contacting the alleged sender directly in another way or by having another employee confirm the request’s legitimacy. 

Finally, implementing basic cybersecurity measures can go a long way in preventing widespread impact in a business email compromise attack, creating unique passwords, and enabling multi-factor authentication to make it more difficult for cybercriminals to take over accounts. Spam filters or blockers can stop most phishing messages before they hit your inbox, and identifying notices on messages from unknown senders can act as reminders to critically vet sources. Still, malicious emails can get through the filters, so employees must have social engineering training.

We often return to the golden triad of cybersecurity, leveraging people, processes, and technology for a comprehensive and adaptable approach to protect organizations from current and future threats. This approach to CEO fraud detection and other business email compromise scams can go a long way in protecting organizations from evolving cyber threats, especially as we continue to adapt to the new way of working in a dispersed world. Through regular, engaging employee training and setting an established baseline of normal activity using standardized policies and secure technology, each employee, from top to bottom, can play a significant role in keeping their organization safe.

TL;DR:

• Business email compromise is a scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
• CEO business email compromise is a growing strain of business email compromise attacks that attempts to trick employees into thinking a high official at their company wants them to send money. Also known as CEO fraud.
• Cybercriminals use researched information to target employees more effectively to convince them to click a link, send funds, provide login credentials, and more.
• Employees are the first line of defense against cyberattacks, particularly those like business email compromise.