Confidence-based CEO fraud has been around for decades, maybe even centuries, so why is it a new headline?
Recent headlines covering the perhaps erroneously named ‘cyber-attacks’ on Meath County Council and Ryanair might suggest that these are some form of sophisticated cyber-attack. However the reality is that these are simply a very old fraud scheme being perpetrated using modern means.
When we look at how such a fraud is carried out, it’s far more about confidence scams (or so-called ‘social engineering’) than it is about technology-based attacks. This is further evidenced by the fact that key prevention methods lie in awareness and financial controls, rather than in technical controls.
What has changed is the speed and ease at which these frauds can be carried out. Fraudsters now have easy access to social media and other online tools such as Google and LinkedIn/Facebook to research a prospective target, as well as leveraging forged email senders as a means of delivery. This helps make the scam more convincing and believable without having to step away from their keyboard.
One might argue that the misclassification of these attacks as purely cyber-attacks might lead to mismanagement of the risk.
At the centre of a CEO fraud scam is the premise that the fraudster convinces someone in the organisation to use their legitimate authority and fund transfer system to send money to an account under the fraudster’s control. It’s vital to understand that this is neither a compromise of the facilitating bank nor the victim’s computer, rather it is a compromise of the victim themselves.
In the past, fraudsters used the technology available at the time (letters, fax and telephone). It sometimes involved in-person aspects, for example with the fraudster pretending to be a supplier. The fraudsters are only bound by their imagination, ingenuity and sheer brass-necked boldness.
The attack itself is simple: convince the victim that they need to create a new beneficiary and send money to that account. Again any ruse will do. CEO Fraud is based on the premise that someone pretending to be the CEO (or someone similarly in authority) makes an urgent demand/request for money to be transferred. It’s often urgent (such as Christmas week!) and the CEO is somehow unavailable to be contacted in person to validate the request. The accounts payable employee (naturally wishing to oblige the CEO) does what they are told and sends the money. By the time it’s discovered (maybe only when checking bank statements at month end), the money has been efficiently laundered through a series of international bank accounts and is long gone. The fact that it’s completed online or by walking over to the branch is simply the transfer method.
Other variants include invoice re-direction whereby a ‘supplier’ instructs the organisation to change the bank account to which their regular and legitimate payment is to be sent. This is usually detected when the legitimate supplier chases the unpaid invoices months later only to enter into an argument about who told whom to change the bank account details.
It’s no surprise that these fraudsters have taken to cyber-space and the efficiencies and risk reduction it brings for them.
The first benefit is at the reconnaissance stage, whereby the fraudster profiles their victim. They now have your company website to learn about your CEO, CFO, etc. They can check LinkedIn and/or telephone to find out who is responsible for processing payments, and they can check Facebook to learn when key authorisers are on holidays, leaving their backup as the victim. This would have taken a lot longer and required face-to-face interaction before these avenues were available.
The next advantage is that it’s easy to spoof the sender of an email, and a spoofed email can be much more convincing. Fraudsters may use a free email account like Gmail, Hotmail, etc. and just put a different display name on it so it looks like it’s from the CEO. This is relatively easy to spot by looking at the underlying email address. We’ve also seen attackers register a domain name that is very close to the organisation’s (e.g. @domain.com becomes @doma1n.com), which can be easily overlooked by someone confronted with an urgent request from someone in authority.
In a few cases we’ve seen the attackers gain control of the CEO’s enterprise email account directly, giving them full use of the account and access to its contents. In these cases the email does actually come from the legitimate account, so is impossible to tell it is faked from a purely technical perspective. These are rare, as it does involve a level of sophistication (unless the CEO leaves their password on a post-it at a conference!).
Another example is where the fraudster calls the accounts team claiming to be from their bank, typically claiming that there is a suspicious transaction on the account (generate urgency) which needs to be stopped. Through a series of social engineering techniques they manage to get the access codes to login to the organisation’s online banking, set-up a new beneficiary and commit a transaction. This is not a compromise of the bank’s online banking platform, it’s simply a case of the employee giving the fraudster the keys to do whatever they like with it.
We haven’t gone into detail on how fraudsters create/obtain mule accounts and the sometimes complex operation of tracing, freezing and eventually recovering funds (if you’re quick enough to catch them), as this is an area best left to law enforcement working closely with your bank, who, as you’ll now understand, have been dealing with similar cases for a very long time.
As with any risk facing an organisation, the first step is identifying that the risk exists, quickly followed by understanding the risk and how it might impact your organisation. In the cybersecurity arena this is typically known as Cyber Threat Intelligence. Although it’s arguable that CEO Fraud (or its many variants) is not a cyber risk but a fraud risk, the same principles can be effectively applied to manage it. This starts by understanding what you have that the bad guys want – access to transfer money.
The next step is to understand how they might go about attacking you – see descriptions above. Armed with this information, set about protecting what matters most across your people, processes and technology:
These are a few ‘top tips’ for defence, however every organisation is different requiring tailored defences based on their set-up and their risk appetite. The transfer limit allowed before a second authoriser is required is a good example of something which will need to be agreed. The most important step is to recognise that just like other risks, they need to be regularly assessed and defences adjusted based on current risks.
As with all fraud schemes or cyber-attacks, if it hasn’t happened already, one will get through. Remember that as an organisation you have to be lucky every time with your defence, whereas the bad guys only have to get lucky once. Given this new reality, businesses need to focus on being prepared for when the worst happens.
It’s simply a case of asking yourself what you would do if it happened to you, and then prepare accordingly. This means having a crisis management team that follows a documented plan, which they have been trained and regularly tested in. This plan will include everything from what you might communicate to the media, regulators, your customers, etc. through to who you are going to call to help investigate (your bank, law enforcement and forensic specialists).
All businesses are now in an arms race against traditional fraudsters turned cyber-criminals. This is just another risk which must and can be easily managed. The key is to put in place the right balance of defensive, detection and responsive measures to protect your business before it happens.
As to whether we can call CEO Fraud a sophisticated cyber-attack, or simply just plain old fraud, is really just a matter of opinion. It’s what we do to stop it that counts.