CEO Fraud Prevention Checklist

All Posts
May 24, 2019
Security

There is no substitute for preparation when it comes to dealing with cybercriminals and the many types of CEO fraud. Here is a list of steps to take to safeguard your organization against the threat.

 

1. Identify your high-risk users such as HR, executives, IT managers, accounts and financial personnel

  • Review each for what is posted on social media, company websites and in the public domain, especially job duties/descriptions, hierarchal information, and out of office details
  • Identify email addresses that may be searchable in the public domain

 

2. Institute technical controls

  • Email filtering
  • Two-factor authentication
  • Automated password and user ID policy enforcement
  • Patching/updating of all IT and security systems
  • Manage your network boundaries
  • Manage access and permission levels
  • Adopt whitelists or blacklists for external traffic

 

3. Policy

Institute wire transfer policy, such as:

  • Multiple points of authorization (not just the CEO and one other person)
  • Out of band verification – email and in person, for example
  • Digital Signatures: Both entities on each side of a transaction should utilize digital signatures
  • Time delays for all wire transfer over a certain amount

 

4. Institute policy concerning access to and release of financial information, IP, customer records and employee records

 

 

5. Procedures

  • Make staff study security policy and enforce this
  • Establish how executive leadership is to be informed about cyber-threats and their resolution
  • Establish a schedule for the testing of the cyber-incident response plan
  • Register as many as possible company domains that are slightly different than the actual company domain
  • Implement Domain Spoof Protection
  • Create intrusion detection system rules that flag emails with extensions that are similar to company email

 

6. Cyber-risk planning

  • Develop a comprehensive cyber incident response plan
  • Consider taking out comprehensive cybersecurity insurance that covers data breaches and CEO fraud
  • Include cyber-risk in existing risk management and governance processes
  • Understand what information you need to protect: identify the corporate “crown jewels.”

→  How to store the information
→  Who has access
→  How to protect it

 

7. Training

  • Train users on the basics of cyber and email security
  • Train users on how to identify and deal with phishing attacks with new-school security awareness training
  • Frequently phish your users to keep awareness up
  • Implement a reporting system for suspected phishing emails such as the PhishAlert Button
  • Continue security training regularly to keep it top of mind

 

8. Red flags

Watch out for fraudulent or phishing emails bearing the following red flags:

  • Urgency
  • Spoofed email addresses
  • Demands for wire transfers

 

Subscribe for Updates

Want more GBQ Technology? We don’t blame you. Our blog ensures you never miss a beat.

Submit a Comment

Your email address will not be published. Required fields are marked *