CEO Fraud has proved a successful strategy for hackers, especially through the use of spoofed emails, or phishing. The hacker impersonates a senior member of internal staff in order to coerce the email victims into making a financial transaction, disclosing login credentials or visiting a malware-laden website.
According to Intermedia’s 2017 Data Vulnerability Report, phishing attacks are on the rise and employees at all levels of the enterprise are falling victim, unwittingly granting hackers access to organisations. Intermedia surveyed 1,000+ full-time office workers at companies of all sizes to find out how workplace behaviours are impacting data security. Whilst the report found that 86% of office workers said they feel confident in their ability to detect phishing emails, 21% of employees report that they fell victim to one of these email attacks. In addition, 34% of executives/owners and 25% of IT workers themselves report being victims of a phishing email, more often than any group of office workers.
As phishing evolves and becomes increasingly sophisticated more and more employees will be fooled into revealing critical company data. Organisations must continue to develop appropriate training and awareness programmes for their teams. In the meantime, what should you look out for?
Attackers may contact you from outside your company’s email system, or they may use stolen username/passwords in order to use your OWN internal email system or potentially compromise one of your suppliers to send you forged emails.
From ‘inside’ the company
Phishing emails are sent to company employees, claiming that their email service is about to be terminated/their password has expired/their mailbox is full, for example, and inviting them to log in to rectify the problem. The phishing email contains a link to a fake login page for email. When staff enter their username and password into the fake login page the details are actually passed directly to the hacker. They can then log onto your REAL email system through a web page and read your email. They may carefully reply to internal staff or your clients, asking that payments be made or resent to a new bank account.
From outside the company
Attackers will work through a list of email addresses and refer to the associated corporate website to find the name of a director. They set up a Gmail or similar free email account to impersonate that director and send an email to appropriate staff, often claiming to be about a highly confidential acquisition, asking for funds to be transferred to a bank account.
There have also been cases of fraud where a supplier/seller to your business has been hacked or impersonated in the way described above. The hacker will read the supplier’s emails and reply to your business, telling you that a recent bank account change means you need to re-send payments to a new account. The hacker may subsequently claim not to have received the payment and may ask you to re-send the payment several times. Because the hacker uses the supplier’s email system it is impossible to spot the malicious email with technology. In this scenario, you are the victim and are left out-of-pocket. The supplier is not liable even though their computer system has been compromised.
To prevent this from occurring policies should be put in place whereby any payments to a new bank account, or changes to supplier bank account details, must be verified by another means:
- If payment request/change is requested on the phone, call the client back on another known number or email them directly.
- If payment request/change is requested by email, call the client back on a known number to verify the request.
- Check the Swift/IBAN/Sort code online to see if the address of the bank appears to be appropriate.
- Click reply on the email – is the reply address what you would expect to see for an internal email on legitimate internal correspondence?
- Limit access to payment systems to as few trusted staff as possible.
There is no one ‘magic bullet’ to prevent CEO fraud or phishing attacks. However, there are a series of measures you can take that may reduce your vulnerability:
- Make the information contained in this article available to all at your company, to raise their awareness of the need to undertake additional verification on payments to new bank accounts.
- Your IT or data security service provider may be able to undertake additional action:
- Put a rule in place on your email system so that all inbound emails from outside the company are prefixed with ‘External’. This, coupled with some general advice to all at your company, may prime staff to be extra cautious of emails that originate from outside your office.
- Add DNS/website filtering technology which will gradually ‘learn’ about the fake email login pages and be able to block access to some of them.
- Add additional email filtering technology which may spot some inbound emails claiming to be from your email system provider.
- Disable webmail access to mailboxes where it is not needed, to prevent remote hackers from logging in once they obtain credentials.
- Enable two factor authentication on your email so that remote webmail access requires a username/password AND requires you to input a text message code from your phone. This extra code will not be required to open your mailbox on your mobile phone/computer.
- Enable password expiry which encourages different passwords to be used. Once the hacker has a password for your email they may try the same password on multiple mailboxes at your company.
Intermedia’s 2017 Data Vulnerability Report found that 14 percent of respondents either don’t know what phishing is or aren’t confident in their ability to identify a phishing email. Companies must inform their teams of the danger, ensure appropriate policies are in place and take the necessary action to increase their security measures.
If you would like more information on how to protect your employees and your organisation from CEO Fraud – get in touch!
Manx Technology Group provides IT and data security services. Our expert teams have many years’ experience working across various sectors and environments and can help identify the right combination of services and technologies to protect your employees and your organisation.