Financial Services Ireland

Article

CEO Fraud – An ancient attack with a new dimension

Read more


Confidence-based CEO fraud has been around for decades, maybe even centuries, so why is it a new headline?

Recent headlines covering the perhaps erroneously named ‘cyber-attacks’ on Meath County Council and Ryanair might suggest that these are some form of sophisticated cyber-attack. However the reality is that these are simply a very old fraud scheme being perpetrated using modern means.

When we look at how such a fraud is carried out, it’s far more about confidence scams (or so-called ‘social engineering’) than it is about technology-based attacks. This is further evidenced by the fact that key prevention methods lie in awareness and financial controls, rather than in technical controls.

What has changed is the speed and ease at which these frauds can be carried out. Fraudsters now have easy access to social media and other online tools such as Google and LinkedIn/Facebook to research a prospective target, as well as leveraging forged email senders as a means of delivery. This helps make the scam more convincing and believable without having to step away from their keyboard.

One might argue that the misclassification of these attacks as purely cyber-attacks might lead to mismanagement of the risk.

So what is CEO fraud?

At the centre of a CEO fraud scam is the premise that the fraudster convinces someone in the organisation to use their legitimate authority and fund transfer system to send money to an account under the fraudster’s control. It’s vital to understand that this is neither a compromise of the facilitating bank nor the victim’s computer, rather it is a compromise of the victim themselves.

In the past, fraudsters used the technology available at the time (letters, fax and telephone). It sometimes involved in-person aspects, for example with the fraudster pretending to be a supplier. The fraudsters are only bound by their imagination, ingenuity and sheer brass-necked boldness.

The attack itself is simple: convince the victim that they need to create a new beneficiary and send money to that account. Again any ruse will do. CEO Fraud is based on the premise that someone pretending to be the CEO (or someone similarly in authority) makes an urgent demand/request for money to be transferred. It’s often urgent (such as Christmas week!) and the CEO is somehow unavailable to be contacted in person to validate the request. The accounts payable employee (naturally wishing to oblige the CEO) does what they are told and sends the money. By the time it’s discovered (maybe only when checking bank statements at month end), the money has been efficiently laundered through a series of international bank accounts and is long gone. The fact that it’s completed online or by walking over to the branch is simply the transfer method.

Other variants include invoice re-direction whereby a ‘supplier’ instructs the organisation to change the bank account to which their regular and legitimate payment is to be sent. This is usually detected when the legitimate supplier chases the unpaid invoices months later only to enter into an argument about who told whom to change the bank account details.

A new dimension…

It’s no surprise that these fraudsters have taken to cyber-space and the efficiencies and risk reduction it brings for them.

The first benefit is at the reconnaissance stage, whereby the fraudster profiles their victim. They now have your company website to learn about your CEO, CFO, etc. They can check LinkedIn and/or telephone to find out who is responsible for processing payments, and they can check Facebook to learn when key authorisers are on holidays, leaving their backup as the victim. This would have taken a lot longer and required face-to-face interaction before these avenues were available.

The next advantage is that it’s easy to spoof the sender of an email, and a spoofed email can be much more convincing. Fraudsters may use a free email account like Gmail, Hotmail, etc. and just put a different display name on it so it looks like it’s from the CEO. This is relatively easy to spot by looking at the underlying email address. We’ve also seen attackers register a domain name that is very close to the organisation’s (e.g. @domain.com becomes @doma1n.com), which can be easily overlooked by someone confronted with an urgent request from someone in authority.

In a few cases we’ve seen the attackers gain control of the CEO’s enterprise email account directly, giving them full use of the account and access to its contents. In these cases the email does actually come from the legitimate account, so is impossible to tell it is faked from a purely technical perspective. These are rare, as it does involve a level of sophistication (unless the CEO leaves their password on a post-it at a conference!).

Another example is where the fraudster calls the accounts team claiming to be from their bank, typically claiming that there is a suspicious transaction on the account (generate urgency) which needs to be stopped. Through a series of social engineering techniques they manage to get the access codes to login to the organisation’s online banking, set-up a new beneficiary and commit a transaction. This is not a compromise of the bank’s online banking platform, it’s simply a case of the employee giving the fraudster the keys to do whatever they like with it.

We haven’t gone into detail on how fraudsters create/obtain mule accounts and the sometimes complex operation of tracing, freezing and eventually recovering funds (if you’re quick enough to catch them), as this is an area best left to law enforcement working closely with your bank, who, as you’ll now understand, have been dealing with similar cases for a very long time.

How to fight back

As with any risk facing an organisation, the first step is identifying that the risk exists, quickly followed by understanding the risk and how it might impact your organisation. In the cybersecurity arena this is typically known as Cyber Threat Intelligence. Although it’s arguable that CEO Fraud (or its many variants) is not a cyber risk but a fraud risk, the same principles can be effectively applied to manage it. This starts by understanding what you have that the bad guys want – access to transfer money.

The next step is to understand how they might go about attacking you – see descriptions above. Armed with this information, set about protecting what matters most across your people, processes and technology:

  • Awareness, awareness and yet more awareness – if your employees are aware, they’re more likely to spot, stop and report an attack before it can be successful. Note that it is absolutely critical to create a culture where your staff feel it is safe to report such events, even if they may have unwittingly fallen for the first steps of the fraudster’s ruse.
  • Don’t give away too much information – Don’t provide contact details, personal details, or other company information to an unknown caller. Request contact details, verify their identity, and call them back. Be aware of your online profile on social and business media sites such as Facebook and LinkedIn. This information may be easily viewed by an attacker.
  • If it seems suspicious, then it probably is – Be wary of attempts to create an artificial sense of urgency or an incentive to click on an email attachment or follow a link to a website. These can be social engineering techniques designed to extract valuable information from you and get you to assist in unknowingly installing malicious code on your computer.
  • Think twice before acting on an email – Were you expecting the email, regarding this subject, from this person? Is the request out of line with company policies/protocols/usual procedure?  Has it come from a ‘free’ email account, such as Hotmail or Gmail? If it looks like it has come from a legitimately named person, check that the underlying email address matches. Does the sender say that they can only be contacted by email? Is the style consistent with previous emails from the same person? If in doubt, follow-up with the sender in person or via a known contact number, and check that the email and any attachments are legitimate.
  • Handle financial information in line with its risk – Ensure that all staff know established protocols for financial transactions and that they know they will never be asked to bypass them, regardless of the seniority of the requester.
  • Protect what’s important (access to online banking) – Never click links in emails relating to banking information. Where available, employ a two-person approval process, from two different computers. Never provide your login credentials to anyone, ever.
  • Employ detection capabilities – There are numerous technical controls which can be deployed to detect potentially suspicious emails. These range from simply highlighting that an email has come from an external source, through to scanning of attachments for malicious content.

These are a few ‘top tips’ for defence, however every organisation is different requiring tailored defences based on their set-up and their risk appetite. The transfer limit allowed before a second authoriser is required is a good example of something which will need to be agreed. The most important step is to recognise that just like other risks, they need to be regularly assessed and defences adjusted based on current risks.

When the worst happens

As with all fraud schemes or cyber-attacks, if it hasn’t happened already, one will get through. Remember that as an organisation you have to be lucky every time with your defence, whereas the bad guys only have to get lucky once. Given this new reality, businesses need to focus on being prepared for when the worst happens.

It’s simply a case of asking yourself what you would do if it happened to you, and then prepare accordingly. This means having a crisis management team that follows a documented plan, which they have been trained and regularly tested in. This plan will include everything from what you might communicate to the media, regulators, your customers, etc. through to who you are going to call to help investigate (your bank, law enforcement and forensic specialists).

All businesses are now in an arms race against traditional fraudsters turned cyber-criminals. This is just another risk which must and can be easily managed. The key is to put in place the right balance of defensive, detection and responsive measures to protect your business before it happens.

As to whether we can call CEO Fraud a sophisticated cyber-attack, or simply just plain old fraud, is really just a matter of opinion. It’s what we do to stop it that counts.

Hugh Callaghan

Associate Partner, Cyber
Hugh's Full Profile