‘CEO fraud’: what is it and how does it work

In 2018, the world was hit by a scam that cost companies an estimated €1.1 billion: “CEO fraud”. This scam is fairly common and will probably become even more so in 2019.

“CEO fraud”, also known as “Business Email Compromise” (BEC), is a scam in which high level executives (also known as C-level executives) are impersonated, giving employees urgent and confidential orders to make financial transactions in a way that does not follow the company’s standard procedures. Cybercriminals attempt to build trust in their victims by using information that is publicly available online, thus making any topic seem credible.

Over the years, the scammers have become more sophisticated in how they set the stage to the point where they create plausible situations with a large support structure. That said, the ‘modus operandi’ remains the same, consisting of four main stages:

• Phase 1: Picking the victim

Every day information on future corporate events, sponsorship events, trips, etc. is published on corporate websites and employees’ social network pages. This innocent posts that may seek to advertise the company can be exploited by criminal groups to identify when a top manager - either from a multinational firm or SME - will be unreachable, or with restricted access to the computer or telephone.

Once the person they plan to impersonate has been identified, the criminals research the company’s sector, network of contacts, partners, common transactions, news of a possible merger and whether or not the person in charge has attended an event or fair where s/he could make a large purchase. Therefore, the most common scenarios criminals have used in recent months to earn employees’ trust are:

• • A fake director contacts an employee with access to company accounts to ask him or her to urgently transfer money to an account number that is not normally used. Cyber criminals know who to contact thanks to the employee’s digital footprint - in other words, the information publicly available online.
  • A fake or impersonated mergers and acquisitions company (M&A) dedicated to the buying, selling and merging of companies writes to the employee asking him or her to help with the operation by transferring money. The criminals apologize that their superior, who cannot be reached at the time, should have told them about it before and that the operation is confidential.

• Phase 2: Manipulating the employee

Here it is when 'social engineering' comes into play. Once the alibi is ready, the criminals call or send an email to the employee with permission to perform transactions or access sensitive information. The email is usually sent from a domain very similar to the original so that it looks familiar to the employee. The signature is usually omitted or a signature very similar to the original is used.

The email structure tends to include the following:

• • Short introduction explaining that its a very urgent and confidential matter that cannot be explained to colleagues or superiors.
  • The body of the email asking for sensitive information or asking the employee to perform a bank transaction for a high amount to an unusual account number.
  • A closing recalling how important the confidentiality and urgency of this operation are.

Sometimes the email does not come alone. It may be accompanied, or preceded by:

• • Prior phone calls or emails confirming that the employee will be available when the email is sent.
  • Attached documents that simulate a confidentiality agreement.
  • Very specific details about company procedures and transactions that look familiar to the employee in order to gain trust about what is being requested.

• Phase 3: Employee reaction

The employee may react by doing what is requested without questioning. This happens as a result of the urgent nature of the message. The employee doesn’t stop to check the email address that sent the message, whether the email was written correctly in terms of structure and grammar, or whether the request fits with common practice in the company. Perhaps the cybercriminal provided sufficient data to earn the employee’s trust. By repeating several times that something is confidential, employees tend not to share it with their colleagues due to fear of repercussions.

• Phase 4: The impact

The account numbers the criminal groups use tend to be in other countries. Reported incidents used accounts in China, Africa or tax havens with different economic policies than those in Europe. Different legislation combined with the time differences and language barriers make cancelling the transfers or tracking the money an impossible task.

Even the most secure systems are not safe if the doors are left open to criminals. Remember: You are the best defense!