CEO fraud is a growing threat to businesses.
Nearly half a million businesses in the UK are being affected by CEO fraud, according to research by Lloyds Bank. It's not a question of if you will be targeted (because you will!) its now a question of how much will it cost your business?
If you understand what CEO fraud is and how it works, and you do something about it, then it is possible CEO fraud won't cost your business a penny. However, if you continue to ignore its threat, then one email can cost your business £10,000's.
This article will explain CEO fraud, how it works, and what to look for to spot a fraudulent attack. I will also give you some ideas to help stop your business from becoming victims to these scams.
What is CEO fraud?
This is when the impersonation of a business owner or senior manager is used to trick a target into authorising a fraudulent payment. By posing as a high-level member of the business, they communicate with customers or employees telling them to make a payment to the fraudsters account.
There are many ways they can try to achieve this, but the most common is CEO phishing email. They send an email that looks like it comes from the owner or higher management which contains an urgent request to send money. Some emails will even mimic the correct sending address making it very difficult to tell that the email is a scam.
The dangers of a CEO fraud attack on your business
A 2017 report by Crowe, an audit, tax, advisory and risk firm, set the annual cost of fraud in the UK at £190 billion. £121 billion of that is fraud on UK businesses every year. That is a staggering amount of money being tricked out of companies each year and a number that will worry any business owner.
The same report saw a 2,370 per cent rise in CEO fraud. Lloyds Bank has done their own research into CEO fraud and estimate that nearly half a million small and medium-sized businesses have been affected by this type of scam.
CEO fraud is a common and expensive threat. Action Fraud says the largest amount ever transferred by an employee to a scammer was £18.5 million. How did they pull it off? CEO fraud. The average amount received by scammers through CEO fraud is £35,000. Imagine your business losing £35,000 because of one fraud email.
Examples of CEO fraud are familiar stories we hear from local businesses. One Managing Director told us of a time they were out of the office, and an email was sent to their finance department. It was spoofed to look precisely like it had come from the MD, even the language used in the email was tailored to match the MD. The email asked for the finance department to pay a £50,000 invoice, which they duly paid. Only when the MD returned to the office did they realise they had been scammed.
Aside from the financial damage, your business's reputation can also be tarnished. If your business looks after customer data, your clients may lose faith in your ability to protect their data. Alternatively, if you are an accountant or financial firm how safe will a customer feel if you can't even look after your own money.
How CEO fraud works
The most common approach is the CEO fraud email. The attacker will use the name of the CEO and instruct the payment of an invoice to the attacker's account. CEO fraud emails play on the complacency of employees. When you see an email is from the owner or senior manager how many times would you think to check the sender address?
The best emails will be able to spoof the CEO's name and their email address. These types of emails are very dangerous because they are a lot harder to spot as scams. Attackers can go a step further and even mimic the language the CEO would typically use in an email. Those CEO fraud emails are almost impossible to spot as scams and can trick even the most diligent of staff. We have seen examples that when shown to the actual CEO, they struggle to determine the email as a scam.
Even some emails with the wrong address can be effective because they use very similar domain names, where possibly there is only a one letter difference in the email address. These differences are subtle enough to work still.
How to spot CEO fraud
Now you have seen how CEO fraud works and know the damage it can cause your business, how can you spot a fraud email? Here are a few pointers to help your business avoid becoming another victim.
Check the email addressCheck the whole email address, not just the name. The fraudsters can easily use the right name, but it is more difficult for them to spoof the domain address. Check the domain address to see whether it is genuine or not but remember even an actual domain address could still be a CEO fraud email.
Consider the senderIf the domain address is correct then think about the sender. Is this the right person making the request? Do they usually authorise payments? The best scammers know how a business works and they can identify who normally authorises payments and which member of staff will make them.
Check the language they useIf the domain is correct and the email is from the right person then look at the language they use in the email. Does the email sound like the sender? Does it use words they would typically use? Hackers can gain access to all your emails and learn to mimic the language used by senior members of the business.
By using these three tips, you can spot a decent amount of CEO fraud emails, but as you can see, there are ways the scammers can make the email look like a genuine request from a business owner or member of management.
How to protect your business from CEO fraud
Scammers are capable of producing genuine-looking emails sent from the right person and domain address, using the correct style of language, making a believable request. So what can your business do to counteract the threat of CEO fraud? As with most cyber attacks, the best form of prevention is awareness throughout the business. Here are some key ideas you can implement into your business to protect from the threat.
There are tools and applications you can use to help, like SolarWinds. The SolarWinds Access Rights Manager (also referred to as ARM) is designed to help administrators keep track of networking permissions within an organization. The tool helps IT and Security admins quickly analyze user authorizations and access permission to systems, data, and files and help them protect their organizations from the risks of data loss and data breaches.
Audit your cyber securityScammers don't guess the details and hope you fall for the email. They know the information they need. One way of doing that is being able to hack into your system and read all the emails you send. With all that information it doesn't take much to spoof a realistic email you would likely send. All the other tips below are measures to deal with a CEO fraud email once it has been received but follow this advice, and you can stop the scammers from gaining the business information they need to make realistic emails that can fool your staff.
Educate your staffI have already laid out some ways you can spot CEO fraud emails. It won't take long to train your staff to look out for these signs of a potential scam. You can even contact your IT support provider to discuss security awareness training for your business. At InfoTech we use KnowBe4 as a way of testing employees ability to spot phishing emails.
Use double authenticationTell your staff if they receive an email request to ask you to make sure it's genuine. If you are out of the office get them to call you to confirm, you can even go as far as to arrange a safe word to make sure the phone call is genuine. Or make it company policy that a payment request can't be made by email.
Understand the situation your staff are inCEO fraud can put your team in an awkward position. Not everyone would be comfortable suggesting your email might be a scam. It is very common that staff won't want to seem stupid and proceed with the payment. Make it clear to your staff that it is okay to question these emails and that it is okay to check with them you.
Set the rulesSet some specific things you will never ask your employees to do via an email. This might include buying gift cards, asking them to make urgent payments, or send sensitive data (these are all common requests in CEO fraud emails).
CEO fraud is not going away anytime soon, in fact as the research shows it's dramatically becoming more of a threat to UK businesses. Your business will be targeted, in fact, you have probably already been targeted. A member of staff could be reading through a CEO fraud email right now. Do you trust them to spot it's a scam?
Attackers have become so sophisticated now they can mimic your emails right down to the language you use and even know the exact time and day you are likely to send this kind of email. It can be impossible to spot the email is fraudulent. We have seen many examples where long-serving members of staff have been fooled by emails, so realistic the business owner themselves begin to doubt whether they sent it or not.
Putting in processes to deal with CEO fraud is a step your business should take. It will help your staff falling victim to even the most convincing scam email. However, that is just treating the symptoms, to best protect your business from CEO fraud you need to look at your businesses cybersecurity. Is your business doing all it can to protect your data? Is your IT support provider doing everything it can to keep your business safe? If you can't answer that question or don't like the answer you come to then do something about it today before that data is used to trick your staff into making a fraudulent payment that cost's your business £10,000's.
To discuss your current cyber security and to find out how it can be improved call us on 01634 52 52 52.