You’re a financial controller. You get an email from your CEO (who’s abroad on business) addressing you by your first name, apologising for the email late on a Friday, but requesting you urgently make a payment to a trusted regular supplier, with account details helpfully provided in the email to save time. You’d pay it, right?
CEO fraud is an increasingly common type of phishing attack, where a threat actor impersonates a senior executive, and attempts to coerce an employee into transferring funds or personal information to the attacker’s account. The average cost of a CEO fraud attack has risen to £35,000, with one company being fleeced out of £18.5 million because of one unsuspecting financial controller[1].
But how do they keep getting away with it?
It’s all in the research
Attackers’ research is nothing short of meticulous. They scope out your CEO online, hunting through your company’s website, social media, and professional networking sites to learn all they can about that person – what they do, who they know and work with, their style of writing, and even when they’re travelling for work or on holiday. Threat actors will also thoroughly research your company, the way the company does business, and your key suppliers and customers. The more they know, the more believable their attack will seem.
“The adoption of fluent business terminology, industry knowledge and personal references from social and professional networking sites have made the deception associated with business email compromise (BEC) attacks difficult to uncover until it is too late.”[2]
Urgent emails get straight through to your inbox…
CEO fraud doesn’t rely on malicious payloads or sinister links, meaning the offending email goes unnoticed by anti-virus software and spam guards. It just looks like another email from someone within your company, without any malware attached.
… and appear to be from the real person’s email account
Threat actors create a spoof of your CEO’s email account which, at a glance, looks genuine enough – for example, changing john.smith@company.com to john.smith@compnay.com. Even more convincingly, attackers use advanced techniques such as Punycode[3] to create spoof domains where the characters in the email address look identical to the naked eye. The result? The email you receive from this domain looks like the real thing, from the real person.
You’re the right person for the job
There’s little point requesting someone to make a wire transfer who isn’t authorised to do so. As part of their research, attackers will find out who’s authorised to make transfers or change account details, and they’ll target that person. In 2017, Dublin Zoo fell victim to such an attack, where cyber criminals intercepted genuine invoices, changing payment and account details, so the attackers got nearly USD $600,000[4].
But it’s not always the finance department that gets targeted – threat actors can also request personally identifiable information (PII) from your HR team, such as tax information, which can be used for further attacks. For a quicker payday, an attacker can email the HR department requesting to change the account their salary gets paid into (diverting money to the attacker’s account). Again, it’s in line with what the target does, and isn’t too unusual a request for an employee to make.
What can be done about it?
Gartner claims “there is no technological second security layer for impersonation attacks” and “current email security does not provide users with any indicators of the trust they can put in emails”[5]. While this may be true for the majority of email security providers, CORVID Email Protection provides both.
Our comprehensive solution includes a VIP module, which checks for impersonation attacks and CEO fraud – a company’s VIPs are registered in the system, so it can tell users if emails claiming to be from known VIPs actually are. It also checks for those pesky Punycode spoof domains, which are otherwise undetectable. A simple traffic light banner at the top of each inbound email allows users to clearly see whether or not an email is genuine. If an email is not from the VIP it claims to be from, the banner will display a warning message, so the user instantly knows not to trust it.
Ready to sort your email security? Speak to our experts
Gartner's report recommends that security and risk managers should "consider business email compromise protection mandatory in phishing solutions"[6]. CEO fraud is on the rise – get ahead of the attackers by taking a more proactive and technological approach to your email security. CORVID’s Email Protection solution is simple to install and provides immediate protection, without costly or complicated setup. Curious about the difference it can make? Get in touch with our experts to find out.
Footnotes
More CORVID blog posts
Four questions you need to answer after a cyber attack
Cyber attacks are inevitable, but it’s how you deal with them that can make or break your business. Have you got all the answers, and do you fully understand their implications? Can you be sure ...
Is email security training a waste of your time?
Given the volume of high-profile cyber attacks making headlines, it’s little wonder the government is urging organisations to step up their cyber security training[1]. But can user ...
Why your most trusted employee could be your biggest threat
95% of cyber security breaches are due to human error[1]. It could be you. The best bit? You probably won’t even know you’re doing something wrong. You have inadvertently just become an ...
