News & blogs

CEO fraud: what is it and how can you prevent it?

CEO fraud is a form of phishing that's becoming increasingly common. It is important to know what it is, how to recognise it and how to protect against it as an organisation.

In this article you will read:

18 Jul

1. What is CEO fraud?

Another name for CEO fraud is “Whaling”. It is a form of phishing in which fraudsters impersonate people in high positions within an organisation, such as a CEO or CFO. Their aim is to trick employees into releasing sensitive information or transferring money to the fraudster's account. This is often done through emails that appear to come from a CEO.

CEO fraud as part of Business Email Compromise

In Business Email Compromise (BEC), criminals impersonate a known email contact within the organization. This could be someone in the IT department, an HR manager or the CEO. Business Email Compromise also includes things like payroll fraud, invoice fraud and vendor fraud.

2. Why is CEO fraud dangerous?

CEO fraudsters are very sophisticated and use confidentiality and urgency to pressure victims. Cybercriminals are getting smarter and their emails are often barely distinguishable from the real thing, especially if they have access to an executive's mailbox. These attacks can lead to significant financial losses and reputational damage for companies.

Dangers of CEO fraud

3. How to recognise CEO fraud?

Here are some tips to recognise CEO fraud:

  • Check the e-mail address. In some cases of CEO fraud, the CEO's e-mail account has been hacked. You may then not notice any difference in the e-mail address. However, in other cases, criminals use an email address similar to the original and you can spot small errors like a double letter in the email address.
  • Emphasis on confidentiality: The task should be kept confidential. This minimises the involvement of colleagues.
  • The chosen one: You are important and only you can do this task.
  • Urgent request: Cybercriminals often create a sense of urgency. They play on the recipient's feeling/emotion.
  • Only available by mail: Communication can only take place via mail. Telephone calls are often avoided due to important appointments or personal circumstances.
  • Check account number: Compare the account number with known details.
  • Final check: When in doubt, always check directly with your supervisor, CEO or CFO.

An example of CEO fraud

In the image below, we see an example of what such an e-mail looks like:

example of CEO fraud

Where do you report it?

If you think you recognise CEO fraud, it is important to handle the mail carefully. Do not click on links in the mail and certainly do not reply to the cybercriminal. Step up to your workplace supervisor or go directly to your organisation's CEO. Make a report that you have received a suspicious mail.

What do you do as CEO?

As a CEO, it is important to take such reports very seriously. The fact that one of your employees received this email could mean that more colleagues have been targeted by cybercriminals. Make sure there is a standard procedure in place when this happens to your organisation. More importantly, make sure your employees know what steps to take when they are victims of phishing. Train your employees periodically and ensure a high level of awareness within your organisation.

4. Attack techniques of CEO fraud

Cybercriminals use various attack techniques to get to sensitive information. Take Executive Whaling, for example. This involves a cybercriminal posing as a CEO or other top official and targeting another CEO, CFO or other person in an important position. It is important to remember that CEO fraud is a form of spear phishing. It targets a specific person or group with personalized information. In many cases, the cybercriminal is well prepared for the attack and has a lot of "inside information" to manipulate victims with.

Common examples of Business Email Compromise

  • Supplier fraud: The criminal poses as a supplier and insists the victim on sharing bank information or making payments. Hack: Taking over an e-mail account to send fake invoices. In this case, it appears more credible because the sender is using a real e-mail address.
  • Invoice fraud: Also known as phantom invoices. In this case, a criminal sends fake invoices to organizations in hopes of receiving money.
  • Salary fraud: The criminal assumes the identity of an employee and requests HR or payroll to change the existing payment information. The salary is then transferred to the scammer's account instead of the employee's.
  • Hack: Taking over an email account to send fake invoices. In this case, it seems more credible because the sender is a real email address.
  • Imitation of lawyers or executives: Fraudsters impersonate lawyers or executives with urgent requests.
  • Data theft: Request for personal or financial information, often directed to HR or finance departments.

5. What can you do as an organisation against CEO fraud?

There are several measures you can take as an organisation to prevent CEO fraud:

  • Security awareness training: This is perhaps the most important step you can take. Make sure all your employees are trained to recognize CEO fraud and know how to act in suspicious situations. In this way, you will ensure an open reporting culture and activate the human firewall.Four-eye principle: Always have payments checked by two people.
  • Policies and procedures: Establish clear rules and procedures for financial transactions, as well as for when someone receives a suspicious e-mail.
  • Technical measures: Use antivirus, anti-malware, firewalls and two-factor authentication.

CEO fraudsters often use social engineering techniques to amplify their attacks, such as mimicking communication patterns and capitalising on trusted relationships within the organisation.

6. The damage caused by an attack

The biggest risks of CEO fraud are financial loss and reputational damage. Amounts can range from a few hundred euros to millions. Besides financial loss, CEO fraud can also damage the trust of customers and partners, leading to loss of business opportunities.

7. Train employees

The most important action you can take to guard your organisation against cybercrime, is to train employees and increase their awareness. It is important that organisations have a high level of security awareness and take measures to prevent CEO fraud. This will help to prevent financial losses and reputational damage due to CEO fraud.

By making employees aware of the risks and train them into recognising CEO fraud, organisations can better protect their data and improve the culture of security. Invest in a security awareness programme, through Awaretrain's security awareness platform or contact us. With a free demo, you will discover how to train your employees through, for example, managed phishing. Try it for free for 28 days.

Wondering how we can help you? Contact one of our specialists and get started today. We would love to help you.

+31 (0)88 018 16 00 info@awaretrain.com

Stay informed and follow us on LinkedIn

Follow us!

Read more

Check out our other blogs and news articles.

iso-geslaagd-awaretrain 16 Oct
Awaretrain Successfully Completes ISO27001 Recertification Read more
Cybersecurity Awareness Month Awaretrain free toolkit 01 Oct
Cybersecurity Awareness Month Read more
27 Aug
Our New UI is Here! Read more
View blogs