You’re a financial controller. You get an email from your CEO (who’s abroad on business) addressing you by your first name, apologising for the email late on a Friday, but requesting you urgently make a payment to a trusted regular supplier, with account details helpfully provided in the email to save time. You’d pay it, right?
CEO fraud is an increasingly common type of phishing attack, where a threat actor impersonates a senior executive, and attempts to coerce an employee into transferring funds or personal information to the attacker’s account. The average cost of a CEO fraud attack has risen to £35,000, with one company being fleeced out of £18.5 million because of one unsuspecting financial controller[1].
But how do they keep getting away with it?
It’s all in the research
Attackers’ research is nothing short of meticulous. They scope out your CEO online, hunting through your company’s website, social media, and professional networking sites to learn all they can about that person – what they do, who they know and work with, their style of writing, and even when they’re travelling for work or on holiday. Threat actors will also thoroughly research your company, the way the company does business, and your key suppliers and customers. The more they know, the more believable their attack will seem.
“The adoption of fluent business terminology, industry knowledge and personal references from social and professional networking sites have made the deception associated with business email compromise (BEC) attacks difficult to uncover until it is too late.”[2]
Urgent emails get straight through to your inbox…
CEO fraud doesn’t rely on malicious payloads or sinister links, meaning the offending email goes unnoticed by anti-virus software and spam guards. It just looks like another email from someone within your company, without any malware attached.
… and appear to be from the real person’s email account
Adversaries create a spoof of your CEO’s email account which, at a glance, looks genuine enough – for example, changing john.smith@company.com to john.smith@compnay.com. Even more convincingly, attackers use advanced techniques such as Punycode[3] to create spoof domains where the characters in the email address look identical to the naked eye. The result? The email you receive from this domain looks like the real thing, from the real person.

You’re the right person for the job
There’s little point requesting someone to make a wire transfer who isn’t authorised to do so. As part of their research, attackers will find out who’s authorised to make transfers or change account details, and they’ll target that person. In 2017, Dublin Zoo fell victim to such an attack, where cyber criminals intercepted genuine invoices, changing payment and account details, so the attackers got nearly USD $600,000[4].
But it’s not always the finance department that gets targeted – threat actors can also request personally identifiable information (PII) from your HR team, such as tax information, which can be used for further attacks. For a quicker payday, an attacker can email the HR department requesting to change the account their salary gets paid into (diverting money to the attacker’s account). Again, it’s in line with what the target does, and isn’t too unusual a request for an employee to make.
What can be done about it?
Gartner claims “there is no technological second security layer for impersonation attacks” and “current email security does not provide users with any indicators of the trust they can put in emails”[5]. While this may be true for the majority of email security providers, PERNIX provides both.
Our comprehensive solution provides over 12 fraud detection and content checks, including a VIP module, which, checks for impersonation attacks and CEO fraud – a company’s VIPs are registered in the system, so it can tell users if emails from your CEO or claiming to be from known VIPs actually are. It also checks for those pesky Punycode spoof domains, which are otherwise undetectable. A simple traffic light banner at the top of each inbound email allows users to clearly see whether or not an email is genuine. If an email is not from the VIP it claims to be from, the banner will display a warning message, so the user instantly knows not to trust it.

Ready to sort your email security? Speak to our experts
Gartner's report recommends that security and risk managers should "consider business email compromise protection mandatory in phishing solutions"[6]. CEO fraud is on the rise – get ahead of the attackers by taking a more proactive and technological approach to your email security. PERNIX is simple to install and provides immediate protection, without costly or complicated setup. Curious about the difference it can make? Get in touch with our experts to find out.
Footnotes
More CORVID blog posts
Patching up life support: why critical care is at critical risk
Keeping people alive is unquestionably more important than patching software, but unpatched software is vulnerable to exploitation, and won’t keep anyone alive if it leads to a breach ...
Symptoms of a COVID-19 scam
Like the virus itself, scam emails claiming to be related to coronavirus are everywhere and spreading fast, preying on the public’s panic and an insatiable hunger for the latest ...
Happy to lose £300k to cyber crime? Get a university research partner
A higher education research partner has the potential to be hugely beneficial for your business, both financially and reputationally. But universities – especially the well-funded, ...
Most popular posts
1. How to effectively manage, detect and respond to a data breach
2. Three reasons the education sector is a prime target for cyber attacks
3. Four questions you need to answer after a cyber attack
4. Top 7 steps to reduce the chance of cyber attacks
5. 11 security mistakes putting your company at risk (and what to do about them)