Social engineering is one of the most popular and oldest scam techniques that actually works. As we have already moved on to the cyber age, where our financial records, research and development data, social life or medical history exist online, it is really crucial that this kind of information does not fall prey to fraudsters. However, it does, frequently.
Fraudsters have turned their efforts toward the corporate and business world. In a recent case, a trading company was duped for $17 million by someone claiming to be its chief executive. In the not-so-distant past, Leoni AG in Germany was scammed for nearly 40 million Euros and FACC AG was duped for €52.8 million.
This is because the company’s financial information and employee information was easily available online. Employee names, email addresses and level in the corporate hierarchy was gleaned from online professional networks such as LinkedIn or Xing.de. When attackers are equipped with this information, they can target and attack the corporation.
Attackers know that urgent and confidential requests from a senior boss will make the responder act in a panic.
What is unique about CEO-Fraud attacks is their simplicity. Scammers use techniques to change the metadata of the email to make it look like an email that actually comes from within the company. In some instances, scammers hack the email accounts of senior professionals just to execute this scam.
The email usually makes an urgent request for money for a crucial reason, such as to close a business deal. The urgency factor limits the responder’s time of action and also puts the responder in a pickle since the email looks like it came from someone high up in the corporate hierarchy. Also, the email usually has a confidentiality factor (as mentioned in a report by Deloitte) which makes it even harder for the responder to ask around for help with regards to the email.
The reason why the fraud is so effective is that it does not require any sophisticated tools or pre-programmed bots that can be filtered away easily. All it takes is a good communication channel and an effective and convincing piece of text.
The target could be any company or organization.
The target audience of this kind of attacks can be medium or large organizations, where the hierarchical structure is big and complex.
An organization with 30,000-40,000 employees is more likely to have a complex hierarchical structure with many people in senior positions, thus creating a bigger pool of targets. In a small organization, employees can also be targeted because the company is fairly new and users have little knowledge about their own colleagues.
Startups in London were being targeted last year with the same trick to reveal confidential information or for money. Usually, mid-level employees who had financial information, authority to execute transactions and various senior managers above them were targeted.
Reported scams of this nature have dated back to year 2013 and are believed to have started in Europe. The trend has spread on to the world, hitting some big organizations in U.S and Europe combined.
Lately, some of European nations have come under attack by the CEO Fraud or Boss Scam. A recent report states that 10% of the fraud cases in France were because of social engineering, with the fraudsters claiming to be CEO of the company. The scams have cost organizations almost $2.3 billion, according to the IC3 report by the FBI.
In 2015, the toy-maker Mattel lost $3 million and the company Ubiquiti suffered a reported loss of $46 million due go the CEO-Fraud Scam. The attacks have increased by 270 percent during the first quarter of the year in 2016.
Preventive measures are the solution, as suggested by the FBI report. Organizations need to take cautious efforts to inform employees about different kinds of attacks and the methodologies used in IT security to prevent them. These include:
- Any financial transaction above a certain amount should have a multi-person, multi-factor authentication requirement.
- Before performing any big transaction, people should be instructed to always verify the receiver with a phone call.
- Strict password policies should be enforced for corporate emails to prevent email hacking.
- Employees should be instructed to not respond in haste, no matter what the urgency is; especially when it comes to financial transactions.
- Organizations should impose policies regarding use of corporate email address for non-private use.
This will help organizations stay safe against the rising threat of CEO Fraud.
Mohamed Junaid Shaikh is a cybersecurity consultant at CSC. With experience in diverse fields of IT, he understands the importance of IT security in this ever-advancing world of technology. With the help of knowledge gained through his educational background and practical experiences, he developed a unique combination of management and IT skills.