…

Combatting CEO fraud email scams

Fraud and cyber crime—which includes any criminal act dealing with computers and networks—are the most common criminal offences in the United Kingdom, according to the most recent data from the Office for National Statistics. In fact, in 2015, approximately 8,000 people and companies each month reported being the target of a phishing scam, which involves fraudsters accessing valuable personal and company data—such as usernames and passwords. 

While there are several types of cyber attacks that are considered to be phishing scams, the CEO fraud email scam (also known as ‘bogus boss’, ‘whale phishing’, ‘insider spoofing’, company exec spam and business email compromise) can be the most expensive. Although the average loss is £35,000, it can vary widely with some UK companies reporting losses of up to £18.5 million, according to the nation’s fraud and cyber crime reporting centre, Action Fraud. 

By understanding the risks involved with the CEO email scam, you can boost your defences to better protect your company from cyber criminals.

The Threat of Email Scams

While the CEO fraud email scam is relatively straightforward, it does require that cyber criminals acquire several essential pieces of information in order to be successful, including the following:

  • The company’s hierarchy to know who reports to whom
  • The names and email addresses of anyone in a senior role that is able to initiate payments
  • The day-to-day schedule (and any upcoming holidays, if applicable) of the intended target
  • The names and email addresses of anyone in a senior role that is able to initiate payments
  • The day-to-day schedule (and any upcoming holidays, if applicable) of the intended target
  • The names and email addresses of anyone who is able to issue money transfers—such as someone in the finance department

Once the fraudster has acquired these pieces of information, he or she will then create an email account that looks legitimate. In general, fraudsters will use one of the following two strategies when fabricating an email address: 

  • Registering a domain similar to the company’s - for example, firstname.surname@example.com (original) and firstname.surname@exaample.com (fraudulent).
  • ‘Spoofing’ the genuine email address, which is when fraudsters use a genuine email address but their own domain - for example, firstname.surname@fraudsterdomain.com.

Some fraudsters may even go as far as to contact their intended target in order to learn his or her specific email stylings and aesthetics. 

After the fabricated email has been created, the fraudster will use it to contact an employee that is able to issue a money transfer and make an urgent request to wire money to a specific financial institution. Since the email address looks legitimate, the employee generally does not have any reason to believe that the senior staff member’s request is fraudulent.

Tags