A Complete Guide to the CEO Fraud Business Email Compromise Phenomenon

“Hi, Jane – I’m on a conference call right now. I can’t talk on the phone but let me know if you got my text. Thanks.”

—John Doe (CEO)

Chances are, you’ve either received a message like this or know someone who has. Business email compromise attacks (BECs) continue to increase as cybercriminals advance their techniques to ensnare as many victims as possible. Cyber attackers evolve social engineering tactics to take advantage of human interactions, manipulating employees into breaking standard security procedures and best practices to gain unauthorized access to systems, networks, and information. Even with traditional cybersecurity measures in place, these cybercriminals can penetrate an organization through its employees, often without their knowledge, making CEO fraud detection harder to spot.  

What is Business Email Compromise?

The FBI defines business email compromise as a “sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” These can be one of the most financially damaging online crimes, exploiting the fact that so many rely on email to conduct personal and professional business. 

CEO Fraud

The John Doe example above references a mass-scale CEO scam, a growing strain of business email compromise attacks that attempt to trick employees into thinking a high official at their company wants them to send money. Also known as CEO fraud, this particular tactic relies on a sense of urgency and authority while playing off employees’ desire to be helpful. According to the FBI Internet Crime Complaint Center’s (IC3) Internet Crime Report, the IC3 received 21,832 BEC complaints, with adjusted losses of approximately $2.7 billion last year. Also of note, the IC3 saw a slight increase of targeting victims’ investment accounts instead of traditional bank accounts.

Now that the workforce is much more dispersed because of the pandemic, CEO fraud thrives in taking advantage of the various methods and tools many use to stay connected within an organization. Just a few years ago, business email compromise scams began gaining popularity by spoofing the email accounts of C-suite members, with fraudulent emails requesting wire payments be sent to unauthorized locations. As these cybercriminals have grown more sophisticated, the scam has evolved to include other compromised or spoofed accounts (personal emails and text messages), tax information requests, and favors such as purchasing gift cards. The schemes only continue to evolve, making CEO fraud harder to detect.

We’re all human, and humans have emotions.
Learn the Emotions of a Social Engineering Attack so they don’t get the best of you.

How Cybercriminals Leverage Social Engineering

Before conducting  business email compromise schemes, cybercriminals do extensive research to ensure their best chance of success. In an effort to collect information on their target, threat actors often peruse the company’s website, social media pages, and media coverage prior to their attack. This research will result in a variety of information, including:

• Names, titles, and email addresses of executive and high-level employees 
• Employees in finance, payroll, and HR roles 
• Company information or other notable events, projects, or news 
• The names of new employees 
• Customers, vendors, or partners of the organization  
• Out-of-office notifications or personal social media posts about senior leadership being away

Cybercriminals use this information to target employees more effectively to convince them to click a link, send funds, provide login credentials, and more. With more employees working remotely, it has become more challenging to verify requests face-to-face, and new technology collaboration tools can also be spoofed to complicate the attack further’ you’ve probably received an email mimicking a message from Slack that looks just like their branding, for example. Just as the threats evolve, we must adapt our capabilities to spot and stop these attacks before they get too far. 

The Answer to CEO Fraud Detection

1. Train your team

Outside of cybersecurity specialists, most people have never received education related to cybersecurity, or they’ve had very basic training. However, employees are the first line of defense against cyberattacks, particularly in the case of business email compromise. As such, they should be enabled with the proper training and guidance to best prepare them for potential threats. Cybersecurity awareness training on an annual (or better yet, quarterly) basis is no longer enough, as threat actors change their tactics frequently. Organizations must conduct frequent, realistic, and engaging training, especially with new employees, who are prime targets for business email compromise attacks.

2. Spread the word

Further, it’s important that employees know what information is being posted and how cyber-attackers can use it against employees. For example, if your organization is hosting a charity golf event, let your team know there might be an uptick in illegitimate requests to buy gift cards and other scams tied to the event. Not having clearly defined and communicated policies can leave the door open for employees to fall victim to potential social engineering attacks, including CEO fraud. Many are simply unaware of how the information they post and the systems or tools they use can open themselves and the organization up to increased risk. 

3. Set expectations and plan ahead

Organizations also need clear policies and processes for employees to follow in the event of a potential threat. Developing an incident response plan for business email compromise is crucial to mitigate the possible repercussions of such an attack. The faster fraud is reported, the higher the chance any funds or data might be recoverable. We also recommend having standard procedures in place for responding to any payment or data requests, either by contacting the alleged sender directly in another way or by having another employee confirm the request’s legitimacy. 

4. Get back to basics

Finally, implementing basic cybersecurity measures can go a long way in preventing widespread impact in a business email compromise attack. Upholding best practices like creating unique passwords and enabling multi-factor authentication make it more difficult for cybercriminals to take over accounts, ultimately buying your organization some much needed time in the case of an incident. Enable spam filters, which catch most phishing messages from landing in your company’s inboxes.

Cybersecurity isn’t just about tools and software; rather, it requires leveraging people, processes, and technology for a comprehensive and adaptable posture. This approach to CEO fraud detection and other business email compromise scams can go a long way in protecting organizations from evolving cyber threats. Through consistent, engaging employee training and by putting standardized policies and plans in place, every employee can play a significant role in keeping their organization safe.

Ready to take the first step toward a comprehensive cybersecurity posture? Let’s talk.