It starts off with a simple email – usually along the lines of “Can you do a wire transfer?” – sent from the CEO to the CFO or controller. The email looks okay since the grammar and spelling are correct and it is signed by the CEO of the organization. But the email isn’t okay, it’s a scam. Once replied to, it will lead to further information from the “CEO” with the end result being a request to wire transfer money.
“CEO Fraud,” as it is called, has become one of the fastest growing Internet scams in recent memory. According to an FBI report, American companies have lost almost $750 million dollars to the scams from October 2013 and August 2015. Internationally, it is believed that over $1 billion dollars have been lost.
So how does it work? The attackers, through a variety of methods, will learn the structure of an organization. This can be done through reviewing websites or through phishing attacks targeting the CEO or other high ranking officials. With this information, the attacker will typically setup a fake domain name – say replacing the “l” with a “1” or a “y” with a “v”. When a single character is replaced, the email address looks “normal” at a quick glance.
The initial email looks legitimate and as such doesn’t trigger typical your normal antispam protection mechanisms. Once you start the dialog it can seem just like a normal conversation – and that is the entire point. Unlike the old Nigerian email scams of the past, there may not be obvious triggers to tell you that this is not a legitimate conversation.
I was going over this threat in a recent presentation to small business owners and I was shocked at how many people had received these type of emails. I counted almost 20% of the crowd as having experienced this issue. When I asked them how they knew it was fake, they all said the same thing. It was the subtle details – such as the CEO signing the email with their full name instead of just their first name. Or words and phrases were used that they may not normally use.
So how do you protect yourself? Always double check with the sender – but not by email. Call them, text or walk over to their desk. If email is the only option, ask a question that only that person would know the answer to. In the end, a healthy dose of paranoia is what we all need to stay safe online.