In the last three years, according to the FBI, CEO Fraud attacks have caused companies $26 billion in damages. This is an astronomical figure that, according to security experts, could grow further in the coming months. To defend themselves, companies must act on two fronts: put in place adequate IT tools and provide strict control procedures in business processes.
How CEO Fraud works
From a purely technical point of view, CEO Fraud is a scam based on the impersonation of the CEO or a senior executive by hackers. The ultimate goal is to send a fake communication that appears to come from the CEO to order a payment that will, of course, end up in their pockets. The starting point of the cyber criminals' attack strategy, in this case, is normally the theft of the victim's access credentials to communication tools (typically email), using spear phishing techniques or more "aggressive" attacks that exploit trojans capable of stealing usernames and passwords. Once they have secured the ability to use the victim's email account, the hackers are ready to strike.
CEO Fraud: the study phase
In order to carry out CEO Fraud, cyber criminals first carry out an analysis of the target. Their goal is to gain maximum credibility. With access to the email inbox, they can read all of the victim's correspondence and get an idea of the internal processes within the company: they can find out who is responsible for payments, learn about the procedures and also study the way in which communications between managers and employees take place. In this way they will know, for example, whether email exchanges use a formal or more "casual" tone, as well as recording information that may be useful in impersonating the victim without raising suspicion. Often, they also use this stage to choose the time to carry out the attack, for example, taking advantage of a vacation period when the CEO is hardly reachable.
The CEO phishing strategy
In defining the actual "hit," pirates may adopt different tactics. In some cases, they choose to use the simplest and most direct route, opting to send the CEO a payment order that has a regular vendor as the recipient, but contains artfully altered bank details so that the payment ends up in their bank account. The risk of this strategy is that the employee may notice that the payment points to a different IBAN than usual and discover the scam. The alternative is to create more elaborate schemes that involve payments to entirely new individuals. The alternative is to create more elaborate schemes, involving payments to completely new people. To add credibility, fraudsters often provide detailed documentation and may even use telephone contacts to give the appearance of credibility to the whole operation in order to arrive at the final "sting".
Countermeasures to defend against CEO Fraud
The fight against CEO Fraud takes place on two levels: the first is preventive and requires the use of protection tools such as multi-factor authentication and the use of detection techniques (the most advanced are based on artificial intelligence and machine learning) able to identify attacks based on spear phishing and malware. Equally important, from this point of view, are the tools that allow to monitor the access to the e-mail box, able to detect anomalous activities such as the connection from foreign countries. The second aspect, always related to cyber security but this time declined in a perspective of company organization, foresees both an awareness activity that allows to sensitize managers and employees towards the risk related to CEO Fraud, and the adoption of policies and procedures that foresee, for payment orders, cross-checks (for example to verify the bank coordinates of suppliers) and the request of authorizations by more subjects for the execution of payments.