For quite some time now, terms like “CEO-Fraud” or “Fake-President trick” have been going around. Observers estimate damages to the extent of billions of dollars. But how exactly do the criminals go about their cunning work? Which tricks do they use? And which steps can companies take, to protect themselves and their employees from this type of scam?
Bernhard Hecker is the Head of Product Management at Retarus and has been devoting himself and his expertise to the topic of IT Security for many years. In this interview he answers the most crucial questions and provides important pointers for IT managers.
What is “CEO fraud” exactly?
Bernhard Hecker: “CEO fraud”, also known as the “Fake President” trick (in this case, the president of a company) is a scam in which cyber criminals pass themselves off as the head of a company and use bogus emails to request that their victims transfer large sums of money. The unknown tricksters take care to target staff that have access to sensitive details or have the authority to make payments. This could be an executive assistant to the CEO, for instance, or employees in the controlling or HR departments. The unknowing victims receive an email, seemingly bearing the name of their own CEO as the sender. The message usually contains a request for the recipient to make an urgent, highly confidential transaction – such as the acquisition of a company, for which a high amount of money needs to be transferred without delay.
What is the exact content of the emails? And how do the fraudsters get hold of the information they need to run their scam?
Hecker: To appear credible, the senders use social engineering tactics to research the name and email address of the company head as well as persons who may have the authority to execute payments. This information is readily available from public sources such as company websites, press releases or commercial registers. Auto reply emails with out of office notices assist the fraudsters in their scams, as do social media posts. Should the managing director currently be on a business trip to Asia, then the message may refer to the acquisition of a company in the region, or damages that urgently have to be settled for a car accident that has occurred there. The emails often attempt to put additional pressure on the recipient to act quickly by stating ostensible deadlines or imminent legal claims.
General holiday periods also offer an ideal environment for criminals. Almost all companies work through the holidays or vacations with reduced staff numbers, meaning that the level of control is compromised. If the boss is on vacation, employees often want to be as considerate as possible. So they may choose not to check back for confirmation, increasing the likelihood of an imprudent remittance.
Which organizations are especially targeted by such cyber attacks?
Hecker: In general, companies of all sizes are subject to CEO fraud. It has been observed that the fraudsters are able to estimate the size of the enterprise very precisely, allowing them to adapt the requested amount and the reason for the payment accordingly. But there is another reason why small and medium sized enterprises are especially popular targets. While big corporations normally have strict security and control mechanisms in place for large bank transfers, medium sized companies often lack clear processes and guidelines. As a result, companies of such a size have become favored, promising targets for these kinds of fraud.
How should employees react when they first suspect something may be wrong?
Hecker: In case of any doubts, staff should always seek to take up personal contact with the supposed sender and look to confirm the payment request by means of another, independent communication channel – in the best case personally on the phone. Replying in writing via email should be avoided if there is any suspicion, as the reply-to address usually doesn’t match up with the correct sender address, but rather points to an email account from some freemail provider. So the email doesn’t reach the real CEO, but rather goes to the scammer. This sends a signal to the attacker that a potential victim has taken the bait. The criminals then see good prospects for success and increase their efforts accordingly.
In cases where an attack is suspected, any affected personnel should moreover inform their respective IT Security Officers in accordance with their internal IT guidelines as well as informing all staff with authority to make payments and perhaps the entire management about the incident.
What if a fake email has already been responded to?
Hecker:Victims are advised to quickly get in touch with the local police station or the criminal investigation unit responsible for such cases. If the bank has already been instructed to make the transfer, the company’s bank signatories should immediately try to stop the payment at the bank or to book back any amounts that have already been transferred by the bank.
Which technical options can help to prevent such cyber fraud incidents?
Hecker: As always, even the very best IT security solutions are no replacement for training staff and raising their awareness. To safeguard themselves against CEO fraud, however, companies should still ensure that their systems are of the highest possible technical standards which allow them to check sender authenticity. Well-known options in this regard include the Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM).
IT security measures, such as email security services, can moreover offer additional security – even if these attacks which tailor messages to fool a specific victim are extremely difficult to distinguish from legitimate emails. That’s why security providers, for instance Retarus, are working hard to develop technologies with which emails can automatically be marked if technical irregularities are identified with the sender information contained in the email header.
Which protective measures can companies generally take in addition to IT security?
Hecker: As with all scams, the “human security factor” remains a risk in CEO fraud too. Companies should take care to sensitize their staff about such types of attack on a regular basis. In the best case, real-world examples should be used to heighten awareness. In addition to raising awareness about such dangers, it also helps to have transparent, easy-to-follow guidelines. To combat CEO fraud companies could, for instance, protect themselves by setting basic limits for bank transfers as well as clearly defining controlling and authorization processes.