CEO fraud? Can you identify the term and how to prevent it? This is a scam that aims to trick employees into paying an invoice or making a transfer from the company account to an account of the cyber-criminal.
It can affect any employee of a company, especially those who have access to economic and financial resources or who are authorized to issue transfer payments. We review the modus operandi, the most common practices, and, above all, how to avoid it.
How do these scams occur?
Once you know the different ways of acting of cyber attackers, it is easy to name it and avoid a practice, on the other hand, increasingly common. This scam can start with a simple email:
- An email is supposedly received from another employee or the boss asking for help with a confidential and urgent operation.
- The cybercriminal uses an email address that is similar to the legitimate one, or even a spoofed one.
- The content conveys a sense of authority and urgency and encourages people to act quickly and secretly, thus preventing the information from reaching other employees.
- The ultimate goal is to trick the victim into making one or more transfers of large amounts to the criminal’s account, thinking he or she is carrying out a lawful operation.
In these types of attacks, known as social engineering, targeting employees of a particular organization, scammers often gather as much information as possible in advance to get a good understanding of how the company works and make their messages credible. Most of the cases occur by email, although lately there have also been cases through phone calls. If they are not aware of the deception, confidential information such as online banking access codes could be revealed and the scam could occur with a high economic and even reputational impact on the organization.
Most common deceptive practices
What are the most common ways attackers act to commit CEO fraud? These are two of the most common examples:
- They contact by posing as a manager for an urgent and secret purchase or a commercial operation, where speed and discretion are required. On many occasions, they take advantage of the fact that the CEO is traveling or they know that he will not answer the phone for a while.
- They contact by posing as a provider who urgently needs to change the checking account for the next payment. Be careful! They know a lot about the company and the supplier.
In these cases, cybercriminals demonstrate a deep knowledge of the company, suppliers and their employees.
How can we prevent it
- If you have suspicions about the veracity of the identity of who is requesting the operation, contact them by other means. If they have sent you an email, call that person or company directly by phone. If it is a provider from an unusual number, hang up and call their known number yourself.
- Be especially careful with requests for transfers to foreign accounts if this is not usual for this type of operation.
- Review the messages you receive and check for signs of phishing. Learn how to identify an email with these characteristics.
- If you receive an unexpected message apparently from an employee, in which he asks you for confidential information or to carry out an urgent banking operation, do not respond and do not provide information.
- Verify messages and requests for banking operations with various people in your organization to ensure their accuracy.
- To prevent spyware from accessing your devices so they can read emails or infect your systems, keep your operating system and applications always up-to-date.
- Do not post work information on social media, such as corporate email, the department you work for and the functions you perform, office location, coworkers, etc.
What should I do if I have been a victim of this online fraud?
From the National Police, aware of the extent of this type of fraud, they insist on the main security recommendations that go through distrusting this type of communication, consulting and checking the request received through other channels and paying attention to the senders’ emails. . Fraudulent emails are sent from an email address almost identical to that of the usual boss or emissary, only varying one character.
But if the previous precautions and filters still do not prevent you from being a victim of CEO fraud, the Ministry of the Interior recommends what you should do:
- Write down the emails and telephones from which they have received the communication.
- Write down the accounts in which the entry has been made and collect all the information that may be relevant and allow the tracking of the attackers.
- Report the facts.
After making the report, a second step could be to sensitize and educate your employees about different protection techniques and good information security practices, and as advised by the National Police, implement safety procedures to make payments that require double verification.
It is important to know the different fraud techniques used by cybercriminals and that this information is accessible to all members of the company. Thus, any sign of a social engineering attack can be captured and reported at the first suspicion in order to avoid significant damage and losses for the business. Remember: the safety of the company is everyone’s responsibility.