For hackers, business email compromise (BEC) is the holy grail of phishing. Run-of-the-mill phishing is much like fishing with dynamite: They throw a stick of it overboard and know it will hit at least some of the “fish” (potential email victims) in the targeted area. While many fish will escape unharmed, the attackers know that if they keep throwing sticks of dynamite overboard, it’ll eventually catch at least some unsuspecting fish off guard. This type of phishing attack is a low-cost, minimal effort method of assault that results in substantial gains — making their attacks highly worthwhile.
However, some hackers decide that they aren’t content with their haul and want more significant gains. When hackers determine that they want to go for the bigger prey, they may choose to do so by impersonating a company’s CEO or another executive. To do this, they switch tactics and use a more targeted approach known as Business Email Compromise. In this type of attack, hackers pretend to be senior executives from the target firm, and try to get mid-level or junior-level employees to turn over data or execute fraudulent financial transactions. Because they frequently pretend to be the CEO, this type of attack is also known as CEO fraud, or a “whaling attack.”
The Cost of CEO Fraud Email Scams
Business email scams are incredibly costly to businesses worldwide. According to an announcement by the FBI, BEC email fraud resulted in more than $12 billion in domestic and international loss between October 2013 and May 2018.
One such example occurred last year when European-based cinema chain Pathé fell victim to a CEO fraud email scam totaling €19 million (roughly $21.5 million) over the course of a month.
This article will briefly define what CEO fraud is, share tips about what someone should do when their business falls prey to one of these scams, and some ways that a company can protect itself against a whaling attack.
What CEO Fraud Entails for Businesses and Employees
CEO fraud is a more recent and niche variant of email-based phishing attacks. Rather than sending generic messages to large groups of people, a whaling attack is a strategy that typically focuses on specific individuals while impersonating someone in a position of power within their organization. According to a 2016 release from the FBI, CEO fraud specifically resulted in $2.3 billion in losses to U.S. businesses between October 2013 and February 2016. That number continues to grow with each year.
CEO fraud emails often focus on targeting victims who work in human resource and accounts payable — essentially, people who have access to personally identifiable information (PII) and financial information or who may be responsible for performing wire transfers on behalf of their organization.
Because the email appears to come from a senior level executive, the lower level employee is less likely to challenge the veracity of the email and will make the fund transfer without question.
What to Do When Your Business Falls Victim to a CEO Fraud Email
According to the FBI’s 2016 release, there are a few steps you can take when your company has been victimized by a CEO fraud or business email compromise scam:
- Contact your financial institution immediately;
- Request that they contact the financial institution where the fraudulent transfer was sent; and
- File a complaint with the FBI’s Internet Crime Complaint Center (IC3) regardless of how much was transferred.
There are additional steps you’ll want to take:
- Inform the rest of your company’s senior leadership and board about the whaling attack;
- Contact your company’s attorneys for legal representation;
- Figure out where the attacks came from and perform any necessary actions to secure the account affected by the email fraud; and
- Contact your cyber insurance (which, hopefully, you have in place) to see whether your plan will cover the CEO fraud.
How to Prevent CEO Fraud & Protect Your Business from Whaling Attacks
As a chief information security officer (CISO) or another leader responsible for ensuring the security of your company, it’s vital to ensure that appropriate precautions and steps are taken to mitigate the risk of CEO fraud and other business email compromise scams as much as possible.
Some of the steps you and your end users can take to prevent fraud include:
- Identifying your high-risk personnel. This list can include employees who can either be targeted as victims who could receive CEO fraud emails or victims who could be impersonated.
- Implement security measures. Along with password managers, network protections, and two-factor authentication (2FA) methods, using technology such as anti phishing software or anti phishing service platforms like Clearedin can help protect your network and email systems.
- Implement company-wide policies and procedures. These policies and procedures can impact wire transfers, computer use, and user access control, among other tasks and capabilities. For example, before a fund transfer of any size can be made or vendor payment information can be altered, verify the request by phone.
Clearedin is an anti phishing solution that protects businesses through the use of a proprietary platform. Our phishing prevention software analyzes your company’s social and communications platforms (email, chat services like Slack, etc.) to create a business trust graph that identifies safe contacts based on contact names, message frequency, and a variety of other factors.