CEO Fraud Prevention Checklist

May 24, 2019

There is no substitute for preparation when it comes to dealing with cybercriminals and the many types of CEO fraud. Here is a list of steps to take to safeguard your organization against the threat.


1. Identify your high-risk users such as HR, executives, IT managers, accounts and financial personnel

  • Review each for what is posted on social media, company websites and in the public domain, especially job duties/descriptions, hierarchal information, and out of office details
  • Identify email addresses that may be searchable in the public domain


2. Institute technical controls

  • Email filtering
  • Two-factor authentication
  • Automated password and user ID policy enforcement
  • Patching/updating of all IT and security systems
  • Manage your network boundaries
  • Manage access and permission levels
  • Adopt whitelists or blacklists for external traffic


3. Policy

Institute wire transfer policy, such as:

  • Multiple points of authorization (not just the CEO and one other person)
  • Out of band verification – email and in person, for example
  • Digital Signatures: Both entities on each side of a transaction should utilize digital signatures
  • Time delays for all wire transfer over a certain amount


4. Institute policy concerning access to and release of financial information, IP, customer records and employee records



5. Procedures

  • Make staff study security policy and enforce this
  • Establish how executive leadership is to be informed about cyber-threats and their resolution
  • Establish a schedule for the testing of the cyber-incident response plan
  • Register as many as possible company domains that are slightly different than the actual company domain
  • Implement Domain Spoof Protection
  • Create intrusion detection system rules that flag emails with extensions that are similar to company email


6. Cyber-risk planning

  • Develop a comprehensive cyber incident response plan
  • Consider taking out comprehensive cybersecurity insurance that covers data breaches and CEO fraud
  • Include cyber-risk in existing risk management and governance processes
  • Understand what information you need to protect: identify the corporate “crown jewels.”

→  How to store the information
→  Who has access
→  How to protect it


7. Training

  • Train users on the basics of cyber and email security
  • Train users on how to identify and deal with phishing attacks with new-school security awareness training
  • Frequently phish your users to keep awareness up
  • Implement a reporting system for suspected phishing emails such as the PhishAlert Button
  • Continue security training regularly to keep it top of mind


8. Red flags

Watch out for fraudulent or phishing emails bearing the following red flags:

  • Urgency
  • Spoofed email addresses
  • Demands for wire transfers


Subscribe for Updates

Want more GBQ Technology? We don’t blame you. Our blog ensures you never miss a beat.