How to Avoid the Risk of CEO & CFO Fraud
Estimated Reading Time: 6 Minutes
CEO and CFO Fraud have been continuously hitting the news in the past few years. One of the most well-known cases targeting a large enterprise reached a value of €47 Million being sent to a fraudulent account.
However, since last year, we have seen a fast-growing number of cases among Small and Medium Businesses. Cyber criminals and hackers have found that although these companies offer smaller gains, they are easier to trick and target due to weak Cyber Security and virtually no training.
Globally, these attacks are now costing over €200 Billion per year for SMEs.
This article will bring a detailed overview of this serious issue. If you want to learn more about it, make sure to check our Essential Guide on How to Avoid Identity Theft, available for free, or read our blogs on the subject linked at the end of this post.
Real-Life Examples
Recently we have witnessed a case in which a person was convinced to send €700 in gift cards to a fake CEO. If the criminal has the right email and the right attitude, he may be able to persuade their targets to do the most incredible things.
In some exceptional cases, we have seen Cyber Criminals monitor an email account for weeks or months until an important supplier meeting was due to happen. When time comes, they will send an email to the CFO saying that the meeting was a success and asking for a money transfer to close the deal. The account details provided are for the criminal’s, and they will quickly withdraw the money and disappear.
Businesses have lost millions already due to these practices, which can be avoided with basic Cyber Security training.
How does CEO Fraud Happens
The main thing all cases of CEO/ CFO Fraud have in common is the channel used for the attack: your email inbox.
Hackers will try to obtain access to the email address of the CEO or an important member of the board with direct access to the Finance department.
They will then try to find a situation in which a money wire seems to make sense. As soon as the moment arises, an email will be sent to the Finance Director requesting a money transfer to a specific account. The authority of the CEO and the language used for these scams are vital in making it seem authentic.
How they will gain access to an account – and why an Antivirus can’t protect you
Cyber Criminals have several ways of obtaining access to an account and stealing an Identity, even if they don’t infect your machine with viruses or malware. We will give a brief explanation of the most common ways below:
- Phishing Attacks: Cyber Criminals will often try to trick their targets into giving away their personal details or clicking on some link or attachment that will give them access to their machines. To learn how to spot one of these suspicious emails, read our article about it here.
- Insecure Network Connections: Hackers often exploit public networks due to their vulnerable security settings. If you use one of these networks, avoid accessing work files or sharing confidential information. Your company network may also be an open door for Cyber Criminals if your settings are not correctly configured and your firewall is not continuously monitored.
- Data Leaks: Cyber Criminals often find passwords on data breaches and leaks. If your company does not have a robust password policy, it is very likely that one of your employees or even yourself is using a password that has already been harvested. If that is the case, criminals can access your account straight away.
- Password Cracking: Another technique often used by Hackers and Cyber Criminals is to go deep into a target’s social media networks to gain more data about them and attempt to crack their passwords or trick their partners using available information online. By going through old social media profiles, they can find old email passwords – which are often used as Recovery Emails and may be accessed by security questions. This form of attack is extremely targeted to a specific individual, and it works surprisingly well against some people.
To learn about all these in detail, read our Article on How Does Identity Theft Happen, which talks not only about CEO Fraud but also about other techniques used for Identity Theft.
In short, if hackers can access a computer or find a password, there is a high probability that they will be able to infiltrate that account.
There are also some cases in which Cyber Criminals may not even be able to access the real email – they can simply create a fake email using the target’s first and last name and pretend to be him/ her in their personal accounts. They will then request a money transfer to an account, claiming it is an urgent matter.
The fact that this form of scam continues to works shows that even if your accounts are secure, you may still be in risk of such frauds. Next, we will discuss the best way to make sure your business will avoid such troubles – and if you want to know if your accounts are safe in the meantime, read Are you Cybersafe? Assessing your Personal Risk of Identity Theft.
The Best Defence: Training & Education
A solid Cyber Security strategy and tools will be enough to push back most Cyber Criminals, but some of them are due to persist and potentially trick your staff into falling for the CEO Fraud or the Invoice Fraud.
The most crucial step to avoid this ever happening to you is to educate your staff about this issue and adopt security measures to ensure they are secure and will not make any mistakes.
We recommend training courses or sessions, along with a foundation of policies and tools to facilitate this task. Some of the main topics to be addressed should be:
Email Protection:
Since your email is the primary channel used by Cyber Criminals, it has to be as secure as possible. It’s always a good idea to use an Email filtering tool, but even then you cannot shut your doors entirely as valuable prospects and partners may try to contact you via email.
For that reason, everyone in the business – from interns to board level – must be trained on Email security. The main points are always to verify the sender address, examine the language tone and never open suspicious links & attachments. These tips and more are explored in our article Top Tips to Identify a Suspicious Email
Strong Passwords:
A Strong Password Policy is of crucial importance in defence of your systems. Users must use strong passwords, change them regularly and never use work passwords on other accounts.
We have an article on some of the best password creating techniques and tools to facilitate your life and increasing business security. It is available here – Your Business Needs Stronger Passwords. Learn How to Create and Manage them.
Elastic Protection
Cyber Hygiene must be present not only on your work environment but follow you wherever you go. Mobile devices are following us everywhere and have a critical role in our lives. The same goes for companies adopting BYOD – Bring your Own Device – where employees use their personal devices to work. This trend means people have more ways of inviting malicious users to their work environment, and the company has much less control of these machines.
Businesses must utilise Mobile protection tools, be extra careful with insecure networks, and prepare procedures in case of device loss or theft. Encryption and remote wipe tools must be in place, and some level of education is required. We have an article with more details and relevant tips on BYOD, called: Embrace BYOD, but be smart about it.
Money Transfer Confirmation Policies:
Last but not least, even with all the right tools and procedures in place, there will be occasions in which a Cyber Criminal will be lucky or smart enough to bypass the main defences. When that happens, users must be ready and vigilant to make sure they are dealing with the right people.
One effective way of doing this is always to call or contact people asking for money transfers by other channels, to make sure they are aware and actually requesting that. If a suspicious message arrives via e-mail, try reaching people through their phones – even a text message could do it in most cases – or contacting others who are close to them and informed of their plans.
Stop CEO Fraud before it begins
As you may have noticed, this is a big topic full of nuances and points that can be deepened with further research. The best ways to safeguard your business and your accounts are to educate yourself and your staff, using whichever tools are appropriate to create new layers of security.
Identity Theft is the main reason for Financial Fraud. It is a growing and disturbing issue, that requires immediate attention.
If you want to read a guide about all these topics with more detail in a single place, we have a Free Essential Guide to Avoid Identity Theft. Download it or share it and help us reduce the number of potential targets.
We are here to provide more information or help you build your own robust Cyber Security. Contact us, and we will be happy to assist.