Ubiquity Networks — a US manufacturer — recently fell victim to CEO fraud and lost $46,7M. Unfortunately, that’s not uncommon. CEO phishing is on the rise and has caused more than $2Bn in company losses since 2013. What exactly is it about exactly? How can you effectively protect your organization against it? Keep reading to find out!
Trustpair blocks the effects of CEO scams through phishing emails by continually monitoring vendor information. Each payment is checked before being processed. Request a demo to learn more!
What are the red flags to detect this kind of phishing?
To the untrained eyes, CEO phishing can be hard to detect. Here are some of the warning signs that you’re being targetted by executive phishing and whaling:
- The request comes from a high-level executive. Fraudsters impersonate members of management or the board because they carry natural authority and have decision power. They pretend to be the CEO, or even the CFO, or COO of your company.
- It’s a big ask. The sender asks you to wire some money to a dedicated account or to answer back revealing some otherwise confidential information (like your business’ bank account number, or some employee’s details). Something that your employee would know not to do if it were asked by anyone else.
- Urgency is instilled in the message. Scammers enhance the pressure on their victims by saying it needs to be done by a certain date “or else”. They’ll either allude to being displeased (which puts the employee’s job on the line) or that the business would lose a “strategic deal”. With heightened emotions, the targetted employee thinks less about the danger of what they’re doing.
- Something feels off. Maybe there is a typo in the email address (which is a sign of spoofing), or maybe the tone or wording used is a bit off. If you’re picking up some weird vibes, it’s better to pause and ask someone else’s opinion before proceeding.
While these are common red flags of CEO fraud, each fraudulent attempt is different. This can happen through emails, phone calls, or even text messages.
It’s important to keep those key elements in mind while being aware that schemes are ever-changing. That’s what makes it difficult to prevent them — scammers also strive to improve their work!
What are the best measures to block CEO phishing attacks?
CEO phishing whaling (targetting “big fishes” ie whales ie CxO) can, fortunately, be prevented. Here’s what you need to implement to protect your business against this risk:
Strong safety protocols
Every business has its own set of protective measures against cyber attacks. But protecting yourself against social engineering techniques — where human vulnerabilities are exploited — is different.
Here’s what we recommend:
- Display the sender’s email address with a warning if it comes from outside your organization. This way your employee will be able to see at a glance if this person really belongs to your company or if they’re using spoofing. Of course, it doesn’t work if your CEO’s email account has been hacked, but it still provides a good first layer of protection.
- Split your key operations among different employees. The more people are involved, the harder it is for fraudsters to be successful in their scams. That’s called the segregation of duties principle.
For example, you can have one employee who receives invoices, another who checks their validity, and a third who approves payment transfers.
Cybersecurity awareness
To be protected against spear phishing you need to invest in your first layer of defense: your employees.
Provide regular and ongoing security awareness training to your teams so they know how to spot the signs of fraud like:
- Email compromise,
- Spoofed domain,
- Phishing emails,
- Social engineering techniques,
- Your CEO emailing them out of the blue.
Your HR and accounting/financial teams should receive the most training, as they’re the ones usually targeted by CEO fraud attacks.
While raising cybersecurity awareness is necessary, it’s unfortunately not enough to be adequately protected. Even with the best training, your employees are still human and therefore, fallible.
Anti-fraud software
So, what’s the best way to prevent CEO fraud (as well as other social engineering attacks) from happening? Anti-fraud software.
Solutions like Trustpair block the effects of third-party fraud. Let’s say a cybercriminal manages to breach your security and an employee is about to send them a fund transfer.
Before that happens, our solution would use 3-way matching of their bank account details, verifying:
- The bank account exists and is valid,
- The account holder’s name,
- Both pieces of information match.
Trustpair would detect that the name on the account doesn’t match the one on your master file, raise the alert, and block the transfer before it’s sent.
For increased cybersecurity, those checks are done continuously and in real-time. We have access to hard-to-reach databases that allows us to check US as well as overseas bank account.
Trustpair completely eradicates the risk of third-party fraud (through close phishing or else). In fact, we have a 100% success rate with our clients.
CEO scam through phishing: how does it work?
While every scam is different — making it harder to detect — there is a general process followed by fraudsters who commit CEO fraud phishing:
- A fraudster impersonates your CxO (CEO, CFO, or another top executive) and sends an email, text message, or even makes a phone call to one of your employees. In emails, they’ll either use a similar email address or hack into the real one, making it harder to detect.
- They make a request incorporating a high-pressure element. There is a sense of urgency or a general threat looming over the head of the recipient. The more pressure, the more the potential victim is likely to complete the request. Some scammers send several emails with increasingly strong wording.
- The victim makes a transfer to their fraudulent bank account, and the scammer disappears. Or, they might come back and ask for a second transfer. They’ll keep using the information and access they have to steal money from your company as many times as they can.
Scammers use a similar process for other types of Business Email Compromise (BEC) like vendor fraud or invoice fraud
Learn all about payment fraud in our latest fraud report!
Examples of phishing emails
When it comes to CEO phishing email examples, there are plenty to choose from! Here are a few of the most infamous cases (that we know of):
- Ubiquity Networks is a US manufacturer of wireless products. They fell victim to whaling phishing when a fraudster sent an email asking to transfer a total of $46,7M to overseas bank accounts. Fortunately, they caught the fraud in time and were able to get $8M back — which is only about 1/6th of the amount, but better than nothing still.
- AFGlobal Corp makes various products for the oil, gas, and aerospace industry. In 2014, their Director of Accounting received an email asking him to wire $480K to an international account.
The instructions that were (seemingly) coming from the CEO were clear. He was to wire the money, and speak about this to no one else, and it took precedence over other matters. That’s what he did. When the fraudster came back with another request — this time of $18M, the victim realized something was amiss. When trying to get the wire transfer reversed, however, it was too late: the bank account had been emptied and the scammers were long gone.
- In 2016, Millennial-led company Snapchat also fell victim to CEO phishing fraud. One of their HR employees received an email from their CEO asking to disclose payroll information from their past and current employees. He obliged. Fortunately, they reacted quickly and reported the phishing scam to the FBI within 4H. While the company didn’t suffer any direct financial damage, its reputation took a hit. They also paid for two years of identity theft coverage for the employees whose data was revealed.
This kind of email attack leads to direct and indirect financial losses. Companies who fall victim to fraudsters also have their name muddied, as it shows poor fraud protection.Using Trustpair offers you complete peace of mind. We eradicate the risk of third-party fraud, ensuring you always know who you send money to.
Key Takeaways:
- Companies around the world have lost billions to CEO fraud. It’s important to set up cyber security measures and invest in training to prevent it — but it’s not enough.
- The best way to protect yourself against fraud is by using Trustpair. We block any suspicious transaction so you always know who you’re sending money to.