If you received an email from your manager asking you to pay £10,000 into a bank account urgently, would you do it?
You might be surprised to hear that some people do.
This type of scam is known as CEO fraud or CEO impersonation and it’s the topic for today’s blog.
Spear Phishing
We’ve talked about phishing attacks in a previous blog post.
Lots of phishing attacks are broadcast in nature. They’ll be sent to lots of people in the hope that a few people will fall for it.
The CEO scam is a targeted phishing attack, also known as spear phishing.
Hackers use online tools like LinkedIn or browse your website for key players within your business. They’ll check out your ‘Team’ pages on your website.
They can easily find the name of your company’s CEO or Managing Directors. It’s not difficult. All of the information is out there on the internet.
Impersonation
The next step is to pretend that they are the CEO of the business.
They usually do this by creating a fake email address which is nearly identical to the real thing and send an email to someone in the accounts department.
The email will pop up in the mailbox of someone who works in the accounts department and it look like it has come from the CEO of the business, or another senior member of the team.
To the untrained eye, the email is genuine.
Urgency
The contents of the email will be to ask the accounts department to make a payment to a bank account.
What the hackers will also do is apply some urgency to the request. The payment of course will be business critical. On top of that, the hackers will also say something like:
“I can’t talk now, I’m about to get on a plane”
Or
“I can’t talk now, I am on holiday”
Nobody wants to bother calling their CEO on holiday do they? So instead, to avoid the wrath of the CEO, the payment will be made.
Similar Domains
I’m sure you have guessed what is coming next?. Of course, the payment isn’t real.
So what can you do to protect your business from this type of attack?
The first thing you can do is check the email address very carefully. The email domain might be near identical but with just one letter changed
Let’s look at these two email addresses
Spot the difference?
You can spot the difference if you look for long enough. But if you’re busy at work and you get this, most people won’t bother to check.
People often don’t check the full email address, they just check the person’s name. This rushed way of working is what hackers love!
Business Process
The second recommendation is to have a process in your business where you verify bank payments
If you get an email from the boss asking for an immediate payment, there should be a process where you have to get a verbal agreement. So, in effect you need to also speak to the CEO before a payment is made.
This is a great example of cyber security in action. We don’t necessarily have to spend lots of money on cyber defence. You just need processes within your business.
Technology Protection
You can also buy technology for your business that would help prevent these emails getting through.
By using an intelligent spam filter for your emails, you can stop these emails in their tracks.
Products like Mimecast and Vade secure have the ability to identify impersonation attacks and it would place the email in the filter for IT to review.
These products look for ‘similar domain’ emails and block them from reaching your mailbox.
If you add process into your business and clever technology, you can double your efforts against cyber criminals.
Conclusion
As I’ve said before, cyber security is like a jigsaw puzzle. There is no one process or technology that will help protect you.
So the best way to really protect your business from CEO scams is to use both of the recommendations I’ve talked about in this blog post together.