News and Events
KnowBe4 Warns of CEO Fraud
KnowBe4 Lays out CEO Fraud Infographic
In a recent Security Awareness Training Blog post, KnowBe4 lays bare the sneaky mechanics of the CEO Fraud scam. BrightWire Networks uses training materials and simulated phishing tools from KnowBe4 as part of our Secret Weapon for Beating the Hackers and Phishers.
What is CEO Fraud? The FBI calls it Business Email Compromise, and according to them it netted criminals almost $6 million PER DAY in 2016. Here is the scoop according to KnowBe4:
It begins with gathering data
The first thing hackers do is see if they can spoof your domain and ultimately, the CEO's email address. They will often troll companies for months learning about key players who control wire transfers and employees' personally identifiable information (PII), like W-2s. They study how the CEO communicates as well as how the target company operates to make their impersonation as believable as possible when they're ready to attempt an attack.
Next, the phish
A spoofed email is then sent to the person in control of what the hacker is seeking. This is typically someone in the finance department, HR department or a member of the executive team. The message normally implies a sense of urgency in an attempt to get the phishing target to do what they ask without question. Another tactic used is waiting until the CEO is on vacation, out of town, etc. Here are a few real world examples of the emails:
- "I'm out of the office but I need you to handle this wire transfer for me ASAP"
- Spoofed message from a legitimate vendor with 'new account information'
- The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters
- An employee’s email account is taken over and the hacker sends invoices out to company suppliers, money is transferred to bogus accounts.
- Especially this time of year, asking for tax information and W-2s is at its peak
The response (...the part where security awareness training can prevent an attack)
In successful CEO fraud cases, the employee receiving the phishing email acts on the sense of urgency without hesitation, and without verifying the request using an out-of-band line of communication (pick up the phone). In many if not all cases this happens because the employees are not aware of what domain spoofing is and assume the message is really from the CEO. All employees NEED to be trained to spot an attack like this from a mile away!
Then you see the damage
The cybercriminals have gotten what they hoped for. Fraudulent wire transfers have been initiated and/or PII is now in criminal hands.
But wait... there's more!
The fallout after a successful attack can be devastating to the company and its employees. Here are some possibilities, and no we didn't make this up. These are things that have happened to CEO fraud victims:
- Money is gone forever in most cases. The FBI estimated it's only recovered in 4% of cases, and usually only happens if the fraud is discovered within 24 hours
- CEO and/or CFO fired (see Xoom, FACC AG, SS&C Technologies Holdings)
- Lawsuits Filed (see Seagate, SS&C Technologies Holdings again)
- Intangibles including loss of trust, tarnished reputation, etc.
Don’t be a victim! Talk to BrightWire Networks today about getting KnowBe4 Security Awareness training for your team.