CEO Fraud is a very simple and effective cyber attack that can cause significant business losses
CEO Fraud couldn’t be simpler. There’s no malware to write and no malicious code or links to implant. It’s a text only email, plain and simple – but it’s the social engineering that makes it work.
Due to its simplicity, these spoofing attacks are one of the fastest growing forms of cyber crime. During the period from Oct. 2013 to April 4, 2016, the FBI reported losses due to this kind of attack total a record $2.3 billion.
In this episode I talk about:
- Exactly what is CEO Fraud
- 3 Specific scenarios
- How to protect yourself and your business
Welcome to the Jason Clause show. I'm Jason Clause, your host, and today we're talking about, as always, good ideas for busy managers. Welcome to the show everybody. My name's Jason Clause. I'm your host, and this is the Jason Clause Show. It's a podcast dedicated to finding and sharing good ideas with Bay Area busy managers. My experience is the best managers out there, they're idea collectors. They're always on the lookout for great ways to lead their team, to build culture, to motivate people, to help their organizations get from where they are to where they want to be. And that's what this show is about. It's about finding those ideas and sharing those ideas. We have a great episode for you today. We're gonna be doing a short one, and we're gonna be talking about a topic called CEO fraud. It's a cyber-security topic, and this is the first in a series that we're gonna be doing aimed at trying to raise the cyber safety or the cyber-security fluency for the Bay Area. For the San Francisco East Bay specifically, and for our teams. And we're gonna get into this topic right after this.
The Jason Clause show's brought to you by Endsight. Computer problems are expensive and frustrating. They're also almost always avoidable. You deserve a better computer experience. Trust Endsight to deliver it. To check out what Endsight is doing go to www.endsight.net and pay us a visit.
All right. Welcome back, so I've actually started reading a newsletter that's put out by an organization called SANS. I'm gonna leave a link to them in the show notes, but this is a newsletter that I read about CEO fraud. It's written by a gal named Angela Pappas. She's the director of information security training at Thompson Reuters. In her role she's responsible for their ambassador program, e-learning, educating employees, and helping them understand topics that pose a significant risk. So I'm gonna include a note in the show notes to this newsletter also. You can also find it on the LinkedIn group, and you can get to the LinkedIn group from the Jason Clause website. That address is www.jasonclause.com.
So CEO fraud is also known as business email compromise, and basically what it is a cyber bad guy impersonates the CEO or another senior executive at the company in an email form that's sent to one of the team members. The whole goal of this is to create a whole bunch of urgency, and rush the victim of this attack into making a mistake. Transferring money to an account that should not be transferred to, disclosing employee personal information that'll be used later, or disclosing sensitive corporate information. When it comes right down to it this is a very unsophisticated attack technically, but a very sophisticated attack from a social engineering perspective. Most commonly CEO fraud takes on the form of spear phishing attack, and to describe spear phishing we probably should start with phishing, and that's P-H-I-S-H-I-N-G. So phishing is when an attacker sends out a generic email to millions of people, like casting a net out into the ocean. The goal is to try to trick them into doing something.
Opening an infected attachment, or visiting a malicious website, or like in the case of WannaCry that was an email that got sent out asking people to click on something. Spear phishing by comparison this is where an attacker sends a very customized email that's targeting to a very small, select number of people. So the attacker has done some research. They've been on social media sites like LinkedIn or Facebook, and they've used that to craft a message that looks very real. So the email that the victim receives is extremely realistic, and it's hard to tell the difference between that and an authentic email. It often appears to come from someone that the victim knows. Typically, in this scenario, it comes from their boss, or one of the senior executives, or the CEO. Hence, CEO fraud. The email's may use industry related jargon, and more often than not they're going to try to create a tremendous amount of urgency. Again, trying to create an opportunity for the victim to make a mistake.
There's three sorta common scenarios, or three big buckets that these types of attacks fall into. So there's a wire transfer, and in a wire transfer the cyber bad guy, he's after money. So that person's gonna target a victim in accounts payable or finance, and then send an email pretending to be the target's boss. And the email is going to say there's an emergency, and you must transfer money right away to this account. So that's the wire transfer scenario. This isn't new by the way. Con men have been using the phone to do this for years, decades.
Second scenario is tax fraud. So the cyber bad guy's after employee personal information, and then will use that information later to, for example, submit a fraudulent tax return. So in this scenario the attacker's going to target human resources, and send an email pretending to be an executive, or the CEO, or someone from legal, and demand certain documents immediately. It must be turned over, or there's some sort of penalty or consequence. Again, creating an artificial sense of urgency.
The third big bucket is attorney impersonation, and this one's a little bit different from the tax fraud one, or the wire fraud one in that the cyber bad guy that person is after sensitive corporate information, could also be after tax information, but they send an email pretending to be a senior leader advising that an attorney's going to call about an urgent matter. So it leverages sort-of the credentialed sort-of introduction that human beings, we're kinda naturally wired to know, like, and trust the people that know other people that we know, like, and trust. So the attacker calls pretending to be an attorney, and again, creates a great sense of urgency around getting access to some sort-of sensitive information. Usually that urgency is associated with getting sued, or there being some sort-of negative legal action that's going to occur if the victim doesn't comply.So those are the three big sort-of buckets. Wire transfer, tax fraud, and attorney impersonation, excuse me.
So what do we do about it? I think at a broad level I learned a lot time ago that as an employee, as a team member I am not always gonna do the exact right thing, but I can know my policies. I can know the ins and outs of my job, and I can try to be the best that I can to always try to do the right things. So I've got a great quote that a manager from a long time ago gave to me. It's "I can't always do things right, but I can always try to do the right things." And this in and of itself is not a counter measure for cyber-security or for cyber safety. This is more a thematic thing that I find that when we talk about this with our teams and help them understand that the expectation is not for you to be Superman. The expectation is not for you to knock it out of the park every single time, and to accept the fact that we're human, and we fail, and make mistakes, and that's okay.
I remember the other story that I was told about there's two executives that get together, and one of the executives says, "Yeah, one of my employees made a mistake. It ended up costing me $10,000," and the other executive said, "Well, did you fire him?" And the first executive says, "No, it just cost me $10,000 to teach him never to do that again." I think that's the sort-of attitude to take towards training as it relates to cyber safety. Specifically to protect ourselves from CEO fraud because it's a socially engineered attack there's really not gonna be any code in the email that's gonna trigger some sort-of technical counter measure that your IT team has put in place, or that your provider has put in place. This is really more about the team being aware of something like this. So a great start might be to forward this podcast to your whole team, and say, "Hey, this isn't that long. Just give it a listen."
But here's somethings to look for. Be aware and look for cues that might raise a flag, and say, "Hey, this just isn't right." So the first one, if the email is creating urgency, unreasonable urgency, that should be a sign. If there's copy in there that's saying, "We need to keep this secret," that's a sign. If the signature isn't quite right, or the email, or the phone number isn't the one that you're used to seeing from your CEO, or from your boss that's a sign. If the tone of the email just doesn't seem right. If that just doesn't sound like the person that you're used to working with that's a flag. Maybe using an unfamiliar name, or nickname, or something like that that hasn't been used previously.
So those are all things to be thinking about. It's difficult, right? The first trigger needs to be, "Okay, I need to do something right away," because we all want to be good at our job we're kinda naturally inclined to want to comply. We need to retrain ourselves, or re-think about that, or be a little bit more disciplined, and say, "Wait a minute. Why does this have to happen right now?" When in doubt one of the best ways to sort-of sort through this is to just pick up the phone, and I know that's very difficult, right? That's one of the things that we just, in our business climate these days, we just don't want to do that, but it's also a very quick, clear way to try to sort through.
The other thing if you're using one of the instant messaging tools, maybe like Link for example. That might be a great way to reach out first before doing anything. And I think lastly, I think we all need to scrutinize any attempt from anybody to bypass our security policies and procedures. From a leadership perspective, our leaders need to really resist the desire to just get it done. To just, "Okay, those are the rules but we can break the rules." Maintaining and adhering to your security policies, that's really, really important. That consistency is a guide, and can help protect the business.
So that's all I've got for us today. Like I said, this is a short one, and if you enjoyed this, and you feel like it was valuable I'd really encourage you to forward this along to your team. I'm looking at the time, it's under 13 minutes, and you can expect more of these. I'm gonna try to do a few more of these short-format episodes, and again the goal here is to, over time, through repetition help increase the cyber-security fluency for all of our organizations.
If you feel like this was a good use of your time I'd really appreciate it if you could head over to iTunes and maybe leave a review. That would be great. As I mentioned before, the best compliment you could pay me would be to forward this along to somebody that you think can use it. That would be awesome. Our next episode's gonna be over the next couple of weeks, it will be on another short-format cyber-security topic. Something that's real compact, just a concept for us to be thinking about. Until next time I hope my good friend Jesus blesses you with wisdom in your spirit, peace in your heart, and a lot of laughter in your belly. Take care now.