“CEO Fraud” is a type of cyber scam where a company executive is impersonated in order to trick an employee into sending sensitive information or wiring funds. Increasing incidence of this scam together with its high success rate are cause for increased awareness and strong preventative measures.
How it’s done
Typically, in this attack, an employee will receive a forged note from “the CEO” or “the President” asking for a wire transfer, payments to an invoice or copies of employee W-2’s.
The attacker may use a combination of phishing, email spoofing, malware and other social engineering methods to make a fraudulent request seem as credible as possible.
This type of scam is surprisingly effective. While traditional Phishing operations tend to have an around-30% success rate, 90% of CEO fraud attacks result in actual transfer of money and/or valuable information.
Tax Season & W-2 phishing
A rising incidence of these types of attacks are being used to gain access to employee W-2’s, ostensibly to steal tax returns. Again, the success rate has been surprisingly high and so we should take necessary preventative measures.
Securing against “CEO Fraud” & Business Email Compromise
This exploit relies primarily on our own human error and trust; and so increased awareness and strong discernment is key to prevention. Here are some steps to take:
• Set strong, unique passwords on email accounts, PCs and other critical applications. Store them securely. (Penn recommends LastPass)
• Do not open attachments or click on links from unknown sources.
• Examine all links and attachments before opening them. Be weary of strange looking URLs and filenames.
• Enact strict policies requiring proper documentation and approvals before transferring funds or releasing sensitive information
• Require that large wire transfers be approved and confirmed verbally.
• When in doubt about the authenticity of a communication, contact us at firstname.lastname@example.org
More information on “CEO Fraud” can be found at https://www.knowbe4.com/ceo-fraud