A Complete Guide to the CEO Fraud Business Email Compromise Phenomenon

“Hi, Jane - I’m on a conference call right now. I can’t talk on the phone but let me know if you got my text. Thanks, John Doe (CEO).”

Chances are, you’ve either received a message like this or know someone who has. In fact, business email compromise attacks (BECs) continue to increase as cybercriminals adjust their techniques to snare as many victims as possible. Cyber attackers are evolving social engineering techniques to take advantage of human interactions, manipulating employees into breaking standard security procedures and best practices to gain unauthorized access to systems, networks, and information. Even with traditional cybersecurity in place, these cybercriminals can penetrate an organization through its employees, often without their knowledge. 

CEO Fraud Business Email Compromise

What is Business Email Compromise?

The FBI defines BEC as a “sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” These can be one of the most financially damaging online crimes, exploiting the fact that so many rely on email to conduct personal and professional business. 

The above is an example of a mass-scale CEO scam, a growing strain of BEC attack that attempts to trick employees into thinking a high official at their company wants them to send money. Also known as CEO fraud, this particular tactic relies on a sense of urgency and authority while playing off employees’ desire to be helpful and do a good job. According to the FBI Internet Crime Complaint Center’s (IC3) Internet Crime Report, BEC schemes were the costliest type of attack with an adjusted loss of approximately $1.8 billion in 2020. 

Especially amidst the move to a dispersed workforce, CEO fraud business email compromise takes advantage of the various methods and tools many use to stay connected within an organization. Just a few years ago, BEC scams began gaining in popularity with the hacking or spoofing of the email accounts of C-suite members, with fraudulent emails requesting wire payments be sent to unauthorized locations. As these cybercriminals have grown more sophisticated, the scam has evolved to include other compromised or spoofed accounts (personal emails and text messages included), requests for tax information, and asking for favors such as purchasing a large number of gift cards. And the tactics continue to evolve: Just last year, the IC3 observed an increase in the number of BEC complaints related to the use of identity theft and funds being converted to cryptocurrency. 

If an employee falls for these tactics, it could result in damage far beyond personal embarrassment. Providing passwords to bad actors, sending funds or sensitive data to an attacker, or opening the organization to ransomware through the click of a link can all have wide-reaching effects on the organization as a whole. 

How Cyber Criminals Leverage Social Engineering

Before conducting CEO fraud BEC schemes, cybercriminals do their research to ensure the best chance of success. They will peruse the company website, social media pages, media coverage, and more to collect information on their target and their spoofed persona. This research will include a variety of information, including:

  • Names, titles, and email addresses of executive and high-level employees 
  • Employees in finance, payroll, HR roles 
  • Company information or other notable events, projects, or news 
  • New employees 
  • Customers, vendors, or partners of the organization  
  • Out-of-office notifications or personal social media posts about senior leadership being away

Cybercriminals use this information to more effectively target employees to convince them to click a link, send funds, provide login credentials, and more. With more employees working remotely, it has become more challenging to verify requests face-to-face, and new technology collaboration tools can also be spoofed as a means to complicate the attack further. Just as the threats evolve, we must adapt our capabilities to spot and stop these attacks before they get too far. 

The Golden Triad of Cybersecurity

Outside of cybersecurity specialists, most people have never been taught cybersecurity – or they’ve only received very basic training. But employees are the first line of defense against cyberattacks, particularly those like BEC, and as such, they should be enabled with the proper training and guidance to best prepare them for potential threats. Cybersecurity awareness training on an annual (or even quarterly) basis is no longer enough, as threat actors change frequently and awareness dwindles after a certain period of time. Organizations need to conduct frequent, engaging training – particularly with new employees, who are prime targets for BEC attacks – to encourage employees to be on high alert for any scams they might encounter. 

Further, cybersecurity awareness needs to include an overview of what information is being posted and how cyber attackers can use it against employees. For example, if your organization is hosting a charity golf event, let your team know there might be an uptick in illegitimate requests to buy gift cards and other scams tied to the event. Not having clearly defined and communicated policies can leave the door open for employees to fall victim to potential social engineering attacks, including CEO fraud. Many are simply unaware of how the information they post and the systems or tools they use can open themselves and the organization up to increased risk. 

Organizations also need clear policies and processes in place for employees to follow in the event of a potential threat. Developing an incident response plan for BEC is crucial to mitigate the possible repercussions of such an attack. The faster fraud is reported, the higher the chance any funds or data might be recoverable. This plan can also include elements such as a second form of verification before responding to any payment or data requests, either by contacting the alleged sender directly in another way or by having another employee confirm the request’s legitimacy. 

Finally, implementing basic cybersecurity measures can go a long way in preventing widespread impact in the event of a BEC attack, creating unique passwords, and enabling multi-factor authentication to make it more difficult for cybercriminals to take over accounts. Spam filters or blockers can stop most phishing messages before they hit your inbox, and identifying notices on messages from unknown senders can act as reminders to critically vet sources. Still, malicious emails can get through the filters, so employees must have social engineering training.

We often come back to the golden triad of cybersecurity, leveraging people, processes, and technology for a comprehensive and adaptable approach to protect organizations from current and future threats. This approach to CEO fraud and other BEC scams can go a long way in protecting organizations from evolving cyber threats, especially as we continue to adapt to the new way of working in a dispersed world. Through regular, engaging employee training and setting an established baseline of normal activity using standardized policies and secure technology, each employee from top to bottom can play a significant role in keeping their organization safe.

More Resources:

Blog: Social Engineering Training for Employees: The Framework

Blog: Looking Ahead to Social Engineering Trends of 2022

Blog: Fight the Phish: How to Identify and Handle Phishing Attempts

Webinar: How to Spot a Phish: Tips to Spoil Advanced Phishing Attempts

Blog: Catch a Phish Before It Catches You

Your cart