According to a 2023 report by cybersecurity firm Fortra, Business Email Compromise (BEC) contributed 99% of all cyber threats reported. In these attacks, hackers used artificial intelligence (AI) to target businesses rather than specific individuals with phishing attacks.
For starters, Business Email Compromise is a type of phishing where hackers pose as company executives and coerce employees into transferring funds or releasing company data.
A major type of BEC attack is CEO fraud, which is gaining momentum. So there is a need to understand how criminals are using it and how to avoid it.
Defining CEO fraud
CEO fraud is an impersonation tactic where a hacker creates a false identity that resembles that of a company executive at senior level.
With this identity, the hacker communicates with the company’s employees to request money transfers or sensitive business data. Emails are the most common medium for CEO fraud attacks, but hackers can also fake a CEO’s voice using generative AI.
The Federal Bureau of Investigations (FBI) outlines five versions of CEO fraud:
- A fake supplier or vendor requests a wire transfer for an invoice, and the funds go to a fraudulent account.
- A company executive’s email is compromised and used to request funds from an employee, e.g., a fake Chief Financial Officer (CFO) emailing an accountant.
- An employee’s work email is compromised, giving hackers access to vendors on their contact list. Hackers then send fake invoice requests to multiple vendors via the employee’s account.
- A fake lawyer contacts an employee during close of business (COB), pressuring the employee for fund transfers before the business day runs out.
- A fake CEO requests business documents like Wage and Tax Statement (W-2) forms or Personal Identifiable Information (PII) during tax season. The hacker then uses this information to target employees with phishing attacks.
How CEO fraud works — methods
Scammers are using the following methods to target businesses with CEO fraud.
1. Email spoofing
In cybersecurity terms, email spoofing means sending an email using a fake sender address. Scammers modify the name and email address of a manager or business executive.
For example, the genuine sender’s email may be “ceo@yourbusiness.com” but the spoofed email may be “ceo@yourbusines.com” or “ceo@your.business.com”. Then, the scammers use an email layout or design that matches the corporate look. These slight changes are easy to overlook, and victims accept the fake emails as genuine.
Dig deeper into spoofing in this comprehensive resource that covers the most notorious email attacks.
2. Email account takeover
An email account takeover is a cyber threat technique where hackers gain access to legitimate email accounts. It is part of the wider account takeover scheme.
Scammers can use bots, malware, or software vulnerabilities to get these emails and their passwords. There are also compromised corporate accounts that hackers can purchase on the dark web, costing between $2 and $30 per address.
Once hackers have access to these accounts, they can easily impersonate managers and executives and lure employees into their scams.
Unfortunately, an email account takeover can lead to a deep distrust from employees about their leadership. A hijacked CEO email scam only shows employees that they are as vulnerable as their leaders. This type of reputational damage can hurt employee morale.
3. Impersonating virtual conferences
This new version of the CEO fraud was reported by the FBI in February 2022. It indicated that hackers were using virtual meeting platforms like Zoom to conduct CEO fraud. There are three versions of this tactic:
- A hacker combines a fake photo and a fake audio track of the CEO or CFO. Since the image remains unmoving on the screen, the audio typically says that the connection isn’t working properly. However, the hacker proceeds to ask for funds via the platform using the fake executive’s voice.
- A hacker uses a fake employee email address to join virtual meetings. They then collect information about the company’s everyday operations to use for phishing attacks.
- A fake CEO contacts an employee claiming they are busy in a virtual meeting and cannot transfer urgent funds themselves. The hacker instructs the employee to transfer funds on their behalf.
There are increasing complaints about this technique, particularly because of remote and hybrid workplaces. Since videoconferencing has become a popular method of conducting business meetings, scammers have more opportunities to infiltrate a company through fake profiles.
4. Use of deepfakes
A deepfake is a type of manipulated image, audio, or video content that is created using artificial intelligence (AI) and machine learning (ML) technology. The created deepfake is then used to imitate a real person, making them act in ways that they never did in real life. Cybercriminals are using deepfakes to impersonate CEOs and other business leaders for fraud.
Scammers can fake an executive’s voice to convince victims to redirect funds or release sensitive data. Since deepfake technologies are advancing rapidly, they could become almost impossible to detect. This means that even more businesses may be at risk if scammers can manipulate the images and voices of C-suite leaders.
Also read: Machine Learning and Artificial Intelligence in Cybersecurity
The main targets of CEO fraud
While nobody is safe from a CEO fraud attack, some employees are more targeted by hackers than others. This is because these employees handle sensitive information and financial transactions on behalf of the business.
These are the top departments that attract CEO fraud criminals:
1. IT departments
IT departments usually have the highest awareness about cybercrime in an organization. They hold the keys to a company’s networking and data management systems, which are extremely appealing to cybercriminals.
Hackers regularly target IT employees with sophisticated emails that can evade detection. If a single email got through the IT department, the entire business would be at serious risk.
Learn why it’s important to stay on top of IT with robust network security, best practices for IT operations, as well as the major types of IT Services.
2. Finance departments
Any employee who has the authority to transact for an organization is a potential target for CEO fraud. Companies that have multiple business accounts or make regular wire transfer payments are lucrative targets.
Scammers can create invoices that appear as legitimate as possible. They may also pretend to be the CFO and send these invoices to the finance or accounting department.
Sometimes, they can pose as the CEO and target the CFO and other top finance employees. For this, we advise that you have the most up-to-date internal policies surrounding transactions.
3. HR departments
The human resource department holds critical employee information, which is attractive to hackers.
This information includes details of current and former employees, as well as candidates who have applied to work at the company. Since these documents contain sensitive personal data, hackers could exploit them to cast a wider net for victims.
A cybercriminal could pose as HR manager requesting an employee database or target job applicants with phishing attacks. If HR data is breached, the company could face both financial losses and reputational damage.
4. C-suite executives
Cybercriminals can also target the highest executives in an organization, including:
- Chief Executive Officer (CEO)
- Chief Technology Officer (CTO)
- Chief Financial Officer (CFO)
- Chief Marketing Officer (CMO)
- Chief Operating Officer (COO)
- Chief Information Officer (CIO)
These managers are in charge of everyday operations and drive the business forward. They are valuable targets for cybercriminals for three main reasons:
- C-suite executives live very busy lifestyles, so they may not question or scrutinize a well-crafted phishing email.
- They have access to critical business data, e.g., financial records, employee information, trade secrets, etc., which are all valuable to a hacker.
- Employees trust communications from C-level managers, so they are likely to fall for a scam if an email appears to come from their leaders.
This is why C-level leaders need greater awareness of the threat at hand. If you belong to this group of leaders, your personal and professional information can be used maliciously to trigger unauthorized payments or steal employee data for further phishing scams.
How to recognize CEO fraud attacks
The CEO fraud cases above have similar features that companies need to be aware of. Look out for these warning signs:
1. A wire transfer request
Most CEO fraud attempts contain a request to send money, usually to unfamiliar or unusual accounts that a company has not dealt with before.
These accounts are carefully chosen to avoid raising immediate suspicion, often appearing plausible at first glance.
2. A sense of urgency
CEO fraud communications, whether via email or voice, always include a time limit. Scammers can use threatening language to rush the victim into acting quickly without question.
This element of urgency is a key component of the psychological manipulation used in these fraudulent schemes.
3. Unusual business hours
CEO fraud scams are often deployed at the end of the business day or outside normal working hours. This minimizes the chances of verifying the money transfer request and increases its urgency.
This is a time when employees are more likely to be fatigued or less vigilant. The rush to conclude tasks before closing hours can lead to a diminished capacity for critical thinking and thorough verification.
4. A sense of secrecy
Scammers have a tendency to request their victims to keep the transactions confidential. This prevents the victims from consulting with colleagues or other managers for verification.
Confidentiality serves as a double-edged tool for scammers. First, it heightens the urgency and pressure on the victim. The directive to keep the transaction hush-hush creates an atmosphere of discretion.
The victim feels compelled to act swiftly without seeking external validation. Second, it limits the likelihood of the victim discovering the fraudulent nature of the request through collaboration with others. Isolating the victim from potential sources of skepticism or advice increases the chances of the fraudulent transaction going unquestioned.
5. Unavailable executives
Scammers impersonating CEOs often claim that they are otherwise occupied, therefore they cannot transfer the funds themselves. They may be on a business trip, an urgent video call, or any other scenario that sounds legitimate to the victim.
The victim, believing that the CEO is in a time-sensitive situation, may be more likely to bypass usual verification processes and expedite the fund transfer.
6. Mismatch in sender addresses
CEO fraud scammers use fake email addresses, both personal and corporate. Any slight variations in the CEO’s contact information is a red flag.
Scammers hope that in the haste of the moment, the victim may overlook subtle discrepancies.
How to prevent CEO fraud attacks
Since CEO fraud attacks are becoming more frequent and sophisticated, you need to include additional safeguards to your cybersecurity policies.
These are the best ways to prevent CEO fraud:
1. Training
All employees need cybersecurity awareness training to spot CEO fraud as early as possible, e.g., identifying and reporting spoofed emails and unusual financial requests.
This training should empower employees to approach their work with a heightened sense of skepticism. They should not overlook potential red flags and must report any suspicious activity to the appropriate channels.
Consider running simulations of CEO fraud attacks at least once a month to heighten awareness among employees.
For training tools, please look at our comprehensive guide to the best solutions for security awareness training.
2. Email security protocols
Implement protocols like DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). These can automatically detect and flag spoofed emails.
DKIM verifies the authenticity of the sender's domain by adding a digital signature to outgoing emails. DMARC builds on DKIM by providing a policy framework for email authentication.
3. Strict verification processes
All fund transfers should be verified through official channels or face-to-face communications. Clearly outline the procedures for transferring money and train employees about how to handle such requests.
4. Vendor monitoring
Invest resources into vendor risk management. This will make it easy to spot scammers if they impersonate the CEOs of your vendors, suppliers, or business partners.
A comprehensive vendor risk management program involves regular assessments, due diligence, and ongoing monitoring of cybersecurity measures.
5. Operational security (OPSEC)
Implement OPSEC practices to prevent CEOs and other employees from sharing information online that scammers may exploit, e.g., travel plans, home addresses, private events, etc.
With OPSEC, employees become more conscious of the information they disclose. This then reduces the likelihood of scammers gathering relevant details to craft convincing impersonation attempts.
6. Response planning
Create a recovery plan in case C-suite executives are targeted or impersonated in CEO fraud scams. This can help to detect suspicious communications and shut down an attack before it harms the organization.
Popular cases of CEO fraud
CEO fraud attacks can affect any business of any size, as long as business executives are known to scammers. However, some cases of CEO fraud have stood out and made the news over recent years.
Here are some examples:
1. British energy firm targeted in 2019
This was the first notable incident of CEO fraud using AI voice technology. In March 2019, scammers cloned the voice of a German energy firm CEO. They used readily-available voice generation software. The voice was used to target the company’s UK division. Through a fake phone call, the CEO of the British division received instructions to transfer $243,000 to the German CEO through a supplier in Hungary.
Once the British CEO had sent the funds, they discovered that the funds did not appear in the German accounts. Instead, the money had gone through a Hungarian account into the cybercriminals’ accounts in Mexico and other locations. Ever since that case, cybersecurity experts have warned businesses about AI-driven CEO fraud.
2. UAE multinational targeted in 2020
Forbes discovered a CEO fraud attack that was under investigation in Dubai in the United Arab Emirates (UAE). The incident happened in early 2020. Scammers used deepfake technology to clone a multinational director’s voice who was based in the UAE. They used the voice to contact a manager at the company’s branch in Japan. The fake director’s voice said that the company was making an acquisition. The voice asked the branch manager in Japan to authorize fund transfers. The fake director also partnered with a U.S.-based lawyer named Martin Zelner to coordinate the ‘acquisition’.
To the manager in Japan, the communication between the director and the lawyer appeared legitimate. Therefore, the wire transfer was initiated and authorized. The amount was $35 million. The case was recognized by U.S. authorities when $400,000 of those funds were traced to bank accounts in the U.S. under the Centennial Bank. However, UAE authorities believed that the CEO fraud ring involved at least 17 individuals around the world.
It’s important to note that manipulating audio is much easier than creating deepfake images and video content. CEO voices can be extracted from all kinds of sources, including YouTube videos, podcasts, internal meetings, and more. Armed with AI, cybercriminals can use these voices to fool employees to commit crimes.
3. French companies targeted in 2021
A criminal network targeted two French companies using CEO fraud tactics in December 2021. The first was a metallurgy company based in north-eastern France. Scammers impersonated the CEO and contacted the company’s accountant, requesting the transfer of EUR 300,000 to a Hungarian bank. The fraud was only discovered later when the same accountant wanted to transfer EUR 500,000 on behalf of the real CEO. Investigators learned that the fake CEO’s call was made from a number registered in Israel.
At around the same time, a real estate developer in Paris was also targeted by the same criminal network. This time, they impersonated lawyers working for a famous French accounting firm. They convinced the company’s CFO to transfer funds over several days, which came to a total of nearly EUR 38 million. The funds were quickly transferred to China and other European countries through a money laundering scheme that ultimately ended in Israel.
It took a multinational team of investigators to trace and crack this CEO fraud ring. Authorities from France, Croatia, Hungary, Portugal, Spain, and Israel collaborated in a five-day operation in 2022. They arrested the group’s leader in Israel, captured eight suspects, and seized a total of EUR 5.5 million in stolen funds, electronics, and vehicles.
Also read: The Latest Cybersecurity Statistics
CEO fraud can create a rift!
The main challenge with CEO fraud is that it can easily create a rift between employers and employees that is difficult to restore.
Employees, who typically look to leadership, may feel a profound sense of betrayal when these figures are impersonated for fraudulent purposes.
The rift manifests in various ways, including heightened skepticism and a general atmosphere of suspicion within the workplace. The emotional impact is significant, and this can influence morale and collaboration.
This worrying danger calls for a proactive stance, where strict adherence to processes is an integral component that must never be circumvented.
Before you leave, please spare a few minutes of your precious time and stay updated on the latest cybercrime statistics.
