What Can Your Company Do to Fight CEO Fraud (Hint: Encrypt Your Emails)

With the current world-wide coronavirus pandemic, more people are working from outside the safety of their usual secure corporate networks. This opens your company up to a whole slew of new hacks and security concerns. Fortunately, there are options when it comes to locking down access to your proprietary data and internal systems.

Business email compromise (BEC) is one of the most prevalent types of attacks out there, and its frequency is on the rise with people working from their less-than-secure home Wi-Fi networks. BEC is a big concern for businesses of any size, and as long as you use email for communication, your organization is vulnerable. How costly these attacks are will vary widely, but the FBI estimates BEC has cost businesses $26 billion over just the last 3 years.

Add to that statistic the fact that 91% of all cyberattacks begin with an e-mail phishing scam, and you begin to see that securing email communication should be a priority. But with your teams being dispersed, how do you secure your data from one of the most dangerous forms of BEC attack, CEO fraud?

What Is CEO Fraud?

CEO fraud is a type of phishing attack where the scammer impersonates the CEO or another executive of their target company for the purposes of obtaining money or information. The hacker is usually after a wire transfer of cash into an account they own, confidential company data, or personally identifiable information (PII) for tax fraud or identity theft.

There are two primary methods used for a CEO fraud attack: name spoofing, or email account spoofing. In name spoofing, the hacker will send an email with the executive’s name on it, but the email address will take the form of a made-up personal account. For example, companyCEOname@gmail.com. The hacker is presuming that if the target sees the name of a powerful person within the company they won’t ask too many questions.

Email spoofing is more advanced, with the hacker sending the phishing email seemingly from within the company network. The address will appear to be the true work email account of the executive, from the official company domain server. This could mean the hacker was either able to compromise this account, or it could mean that they’re using spoofing tools to make it look as though the email is legitimate.

Both of these attack types require advanced use of social engineering to go undetected long enough to reap rewards. The scammer will start by researching their target company’s website, looking for executive’s names, the format of company email accounts (first letter of first name-last name@companydomain.com, e.g.), and some possible targets within the company to direct their spear-phishing emails to.

What Do CEO Fraud Attacks Look Like?

The FBI has identified five primary types of CEO fraud attacks:

  • Targeting companies who work with foreign suppliers, requesting a new account be used for wire transfers
  • Targeting someone in the finance dept who does wire transfers regularly, requesting money be sent on an emergency basis to a particular account
  • Targeting PII of executives for tax fraud
  • Targeting employee data (identity theft)
  • Targeting access to internal systems, databases, etc.

After they’ve done their research on the company, they might call in impersonating someone legitimately looking for contact information for an executive. For example, they could claim to be an attorney representing a company known to be working with the target company, for instance on a merger or similar deal. They’ll use this as their way in because, during big deals, money transfers are not unusual, so there's a good chance that there will be someone in finance who won’t ask questions.

The next step will be to email their targeted employee with a request for a wire transfer or other specified information, under the guise of an emergency of some sort. They’ll play on the research they did and connect the request to a deal that they know is underway, or a project with a looming deadline, or something similar that either won’t raise eyebrows or lead to unnecessary questions from the employee, or will get them in such a hurry that they won’t stop and think about the authenticity of the message.

There are any number of techniques and strategies that attackers use, from selecting the right person to crafting the right excuse for the slightly-strange nature of the request. Often, the hacker aims their attack at someone who has signing authority, but who might not be privy to everything that happens in the C-suite. They’ll either tell this person that they need an emergency transfer in order to move a deal closer to closing, or they may simply say they’ve had to change accounts due to fraud and request a test transfer to be sure the new account is working. In both cases, the account used will belong to the hacker and they’ll likely close it immediately after withdrawing the cash, making these attacks quite difficult to trace.

If they’re after PII, they might target HR specifically. They’ll start by telling them that the executive’s accountant needs this information to help with an audit or another similar situation that sounds important enough to bypass any questions that may come up. This might not sound like something your employees would fall for, but if the email address looks right and the request seems plausible who’s going to risk annoying the CEO?

Primary Methods of Combating CEO Fraud

As with any form of network intrusion or hack, there is a set of best practices any company should be following in order to limit the likelihood of these attacks. Most companies use a combination of different tools and best practices, but it’s often difficult to tell what the right option is for optimizing both message protection and ROI.

User training

Of course, your first line of defense is a well-trained user base. By running trainings and providing information on the subject, you can raise employee awareness and teach them what to watch out for when it comes to BEC in general and CEO fraud in particular. When a random employee in HR receives an email directly from the CEO, they need to know what’s a red flag and what isn’t.

Beyond ensuring your employees are trained to listen to their intuition and are on the watch for phone calls or emails that just don’t feel right, you need to drill into them that any and all suspicious communication needs to be reported to IT and/or InfoSec (if you have both). Cybersecurity is a mindset as well as a toolset, and it falls on management to be certain this mindset is adopted by everyone within the organization. This is particularly true now when employees can’t simply turn around and ask you a question about a strange email. That said, to err is human--no amount of training can completely eliminate the chance of a slipup under unusual circumstances and the percentages of failure in ‘simulated attacks’ remain usually  frustratingly high despite the large training efforts undertaken.

AI-enabled analysis engines

These cybersecurity algorithms parse incoming emails looking for variations in known patterns of speech, grammar, etc. Pattern recognition is what algorithms do best, so training them to know your executives’ tone and use of slang is another step you can take to weed out fake emails. When the tone or word choice in an email purporting to be from the CEO doesn’t match records, the analysis solution will kick out a warning to IT and the user to raise those red flags that their intuition may have missed. This kind of solution can be nifty, but they’re often costly and difficult to install, and they may interfere with employees’ attempts to take care of daily business via email. Another vexing issue with these algorithms, filters and black/grey-lists are the number of false positives.

Encryption to solve CEO Fraud?

Unlike the complex tools we alluded to above, email encryption – as unlikely as it may initially sound – can significantly reduce your CEO Fraud risk and doesn’t have to be expensive or unwieldy. In this way, encryption provides confidentiality (no one can read your emails except the intended recipient), integrity (no one can alter your emails), and authenticity (no one can impersonate you via email). This means that even a savvy hacker who fakes your CEO’s email address and gets her signature and tone exactly right won’t be able to fool anyone anymore. Rather than leaving things up to users’ gut feelings or to your faith in black-box AI processes, this provides a clear accounting of which emails are legitimate and which aren’t.

Historically, the only issue here has been that encryption key management on an enterprise level can be difficult to do. Admins lose track of where keys are stored and their expiry dates, and users find ways of avoiding the clunky encrypted email interfaces they’ve been saddled with--leaving them vulnerable to fraud all over again. Luckily, all of that changes when you automate the process.  

How Automated End-to-End Email Encryption Cuts Out CEO Fraud

CEO fraud attacks are precisely what an end-to-end email encryption solution is designed to eliminate. A user of an email system protected by p≡p sees a clear colored indicator next to each and every email in their inbox that tells them the security status of that message.

  • No color — Unsecure: the message is not encrypted or the encryption is sub-standard
  • Yellow — Secure: the message is properly encrypted
  • Green — Secure & Trusted: the message is properly encrypted and from a trusted party
  • Red — Mistrusted: the message is flagged as fake for a number of reasons

All accounts within the company domain are automatically granted «Secure & Trusted» (green) privacy status. Otherwise, that message will have a colorless indicator light, or a red one if the message has been compromised. No need to take care of any key infrastructure or key renewal. Every step is automated and the user doesn't even know he has a key.

Because the solution is invisible to the end user, they have no reason to do anything differently at all. From the admin side, things are just as easy: installation is quick and painless, and p≡p automates key management entirely. 

This system gives employees a fast way to verify the validity of any company email they receive. Any email that appears to be from within the company, yet is not labeled green can be considered an attack and brought to IT’s attention immediately. This renders all the hacker’s hard work and research useless. Hackers can impersonate a CEO, but there’s no way for them to impersonate an encryption key that they don’t have.

This protection can of course be extended to customers and suppliers, and the pEp system will automatically start encrypting without user intervention with all those customers and suppliers, that have encryption capabilities.