You receive an email from your boss urging you to transfer a large amount of money to pay for an outstanding invoice. It’s not an unusual request; in fact, you’ve handled invoices many times before. So do you send the money immediately?

Maybe not. While this may seem like a normal request for some employees, it can also be CEO fraud. CEO fraud is a type of business email compromise (BEC), and it’s costing companies. The FBI announced that BEC losses totaled $12 billion over the past 5 years.

CEO Fraud

Source: TrendMicro via CSO Online

What is CEO Fraud?

CEO fraud is a sophisticated scam where hackers pose as the CEO of companies and ask for money transfers. Cybercriminals either hack into an executive’s account or create a legitimate looking email. CEO fraud attacks target all employees, especially those who work in the finance department. While the real estate industry seems to be increasingly targeted by this type of scam, businesses across all industries can be affected.

How It Works

CEO fraud is a highly targeted phishing scheme. Cyber criminals first research who they want to target. Then they craft an email that looks legitimate and ask victims to transfer money. Typically, the email will have a great sense of urgency. After setting up a temporary foreign bank account, they wait to receive their payout.

CEO fraud can cause companies to lose a lot of money, and in some cases, people lose their jobs. In 2016, Austrian aerospace parts maker, FACC, lost approximately $47 million to CEO fraud. As a result, they fired their CEO and chief financial officer.

Five Ways to Avoid CEO Fraud

Awareness: All employees need to be aware about CEO fraud. Extra training should go to employees who work with sensitive data, such as those in human resources or the financial department.

Have an efficient policy: Create a multi step process to gain approval for large transfers. This could include having executives send a text or call before asking for a money transfer.

Validate transfers: Associate all money transfers with a purchase order. This will help validate the transfer and ensure that everyone knows where the money is going and what it’s for.

Inspect the email: 6.4 billion fake emails are sent everyday. It’s important to make sure you don’t fall victim to these fake emails. Although these emails are highly targeted, they tend to follow a similar formula. According to the FBI, the phrases “code to admin expenses” or “urgent wire transfer” were commonly seen in attacks by victims. Look out for similar urgent wording of a request for funds.

Create email rules: Hackers will spoof emails so that replies redirect to another email address. This means that the email address you initially see looks legitimate (e.g. ceo@company.com), but when you reply to the email it changes to a bogus one (e.g. hacker@darkweb.com). Flagging emails where the reply email address is different could help filter out these targeted emails.

If you’re worried about email fraud, contact Jolera to learn more about our secure email solutions.