CEO fraud is a type of spear phishing attack in which a hacker impersonates a CEO via email and persuades a victim to perform a transaction, typically financial. One of the costliest email attacks, CEO fraud is a form of business email compromise, which cost US businesses $1.7 billion in 2019.
CEO fraud can range from gift card scams to wire fraud, with millions of dollars being routed to a hacker’s bank account, often long before the business realizes what’s gone wrong. To increase their chances of success, hackers employ a number of tactics, some of it technical but mostly involving psychological manipulation.
Gift card scams are among the simplest to execute and most difficult to trace. This makes them among the most widespread spear phishing attacks in the wild and one that offers an immediate ROI.
Posing as a CEO, a hacker will typically claim they’re in a meeting and urgently need to purchase gift cards for a client. Often, the hacker will claim the gift cards are a surprise for employees, manipulating the victim into keeping the request a secret. In the mind of the victim, failing to come through could result in embarrassment for or disappointment from the CEO. This creates intense pressure for the victim.
The most successful business email compromise attacks feature carefully crafted spear phishing emails. But what really makes them successful is the identity and influence of the purported sender. The average user might think twice about purchasing gift cards for John in accounting, but if the request comes from the CEO, the victim is more likely to respond and quickly.
Many victims of CEO fraud previously had little to no contact with the CEO. It’s easy to blame the victims in these cases and say they should have known better. In reality, it makes the victim more susceptible to the fraud because the email catches the victim off guard. When the financial request is the first ever communication between victim and CEO, the victim will feel not only feel pressure but a desire to please.
Pretexting and social engineering
Many victims are not accustomed to communicating with the CEO. They’re unfamiliar with the CEO’s communication style and habits—what the CEO would or wouldn’t say or do. The real CEO might never engage in such a conversation or make such a request, but the victim doesn’t know that, and it gives the hacker an advantage.
A common tactic in social engineering, pretexting opens a line of communication between the hacker and the victim, easing the victim into the request. It also allows the hacker to set expectations (Don’t tell anyone about this; it’s a surprise) and serves as intelligence gathering, providing the hacker with additional information that could help them succeed.
In some cases of CEO fraud, a hacker will email the victim multiple times leading up to the ultimate request, checking on their progress, ensuring that no one else is aware of the transaction, and applying more pressure until the transaction has been completed.
Sending emails from mobile devices
CEOs are busy people. It’s not unusual to receive an email from an executive who is out of the office, at an event, visiting with a client, or even out of the country. Sending spear phishing emails via a mobile device helps the hacker create the impression that the CEO is away from their office. This benefits the hacker in several ways.
First, it helps the hacker create the illusion that the CEO is out of their element, possibly without their laptop, and needs assistance. Second, it gives the hacker wiggle room to make mistakes with respect to the email—grammar and spelling mistakes are common and forgivable (to an extent) on mobile devices.
Finally, it increases the chances of the spoofed email being overlooked. If the hacker spoofs the CEOs name but not the corporate domain, it's reasonable for the victim to believe that the CEO made a mistake and sent the email through a personal account.
Relatively new to the realm of business email compromise, deep fakes have proven to be both highly effective and extremely costly. Better yet (for the hacker), there are a variety of artificial intelligence-based tools on the market that a hacker can use to mimic a CEO’s voice.
According to The Wall Street Journal, in 2019, a CEO of a UK energy company received a call from the chief executive of the company’s German parent company—only it wasn’t his chief executive. It was a hacker using deep fake software, mimicking the voice of the chief executive in Germany and requesting a wire transfer payment to a supplier. The result was a $243,000 payment to the hacker, who soon called back asking for more, which tipped off the CEO.
Deep fake software is abundant, effective, and cheap, and businesses have no answer for it. According to Computer Weekly, 77 percent of cybersecurity decision makers are concerned about deep fakes, but only 28 percent have a plan to defend against it.
Preventing CEO fraud
Anti-spear phishing technology has come a long way, but the psychological nature of CEO fraud requires a combination of preventative measures:
User Training: Train your users to identify different types of business email compromise, as well as social engineering techniques. Go beyond periodic training and provide training on-the-fly—when users open or respond to malicious emails.
Validation Processes: Implement a process for validating requests for financial transactions. Examples include validating requests in person or over the phone after receiving a financial request via email.
Technology: Upgrade your anti-spear phishing solution to a solution that goes beyond DMARC and traditional detection. The solution should be able to identify hard-to-detect spoofing techniques that evade DMARC, including cousin domains and display name spoofing.
Whether you call it spear phishing, CEO fraud, or business email compromise, all targeted email attacks display similar characteristics, behaviors, and even language. That’s where artificial intelligence (AI) excels at detection.
Searching for anomalies in email traffic and malicious behaviors in emails, AI algorithms can detect what statistical or fingerprint solutions miss. Vade Secure uses two machine learning techniques to detect spear phishing and CEO fraud:
- Anomaly Detection: Identifies outliers or behaviors uncommon in a data set—in this case, an organization’s email traffic. It learns over time what is and is not typical sending/receiving behavior in the organization and identifies anomalies, including cousin domains and display name spoofing.
- Natural Language Processing: Detects the common words and phrases used in CEO fraud and spear phishing, particularly language that indicates urgency or is related to financial transactions.
Vade Secure for Microsoft 365 alerts users to possible spear phishing attempts with a warning banner that triggers when the suspicious email is opened. This provides the pause necessary for the user to consider the possible warning signs they might otherwise have missed. Additionally, if the email contains anomalies but is a legitimate message, the email will not be misclassified and blocked, ensuring that important corporate communications are successfully delivered.