CEO Fraud: Prevention, Resolution and Restitution
Business Email Compromise (BEC) also called CEO Fraud usually involves tricking someone into making a large wire transfer or issuing a check to a false account. Although it is called “CEO Fraud” the CEO is not the only target for these scams. All of your organization’s top management are at risk from cybercriminals who try to gain information about your organization’s operations. With this type of fraud on the rise and with the poor chance of recovery of funds it is important to build your prevention and training program now – right now.
Identifying High-Risk Users
High-risk users include C-level executives, HR, Accounting and IT staﬀ. Impose more controls and safeguards in these areas. For example, on ﬁnance approvals for wire transfers, stipulate several points of authorization and a time period that has to elapse before the transfer is executed.
It is wise to conduct a search of all high-risk users to see how exposed they are. For example, LinkedIn and Facebook proﬁles often provide detailed personal information or even what could be considered sensitive corporate data such as the person having wire transfer authority, as well as email addresses and list of connections.
Various technical controls should be instituted to prevent the success of phishing attacks. Email ﬁltering is the ﬁrst level but it is far from foolproof. Authentication measures should be stepped up. Instead of a simple username and password, which the bad guys have a good success rate of getting past, two-factor authentication also requires something that only the user has on them such as a physical token. This makes it much harder for potential intruders to gain access and steal that person’s personal data or identity. Key fobs, access cards and sending a code to a registered mobile phone are some of the possible methods, but we prefer the Google authentication app.
Automated password and user ID policy enforcement is another wise defense. Comprehensive access and password management also can minimize malware and ransomware outbreaks. Review existing technical controls and take action to plug any gaps.
Every organization should set security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as users not opening attachments or clicking on links from an unknown source, not using USB drives on oﬃce computers, password management policy (not reusing work passwords on other sites or machines, no Post-it notes on screens as password reminders), completing speciﬁc types of security training including training on security policy, and the many other details of employee and overall security diligence. Policy on WiFi access, for example, should be reviewed. Include contractors and partners as part of this if they need wireless access when on site.
A policy should also exist on wire transfers and the handling of conﬁdential information. It should never be possible for a cybercriminal to hijack a corporate email account and convince someone to transfer a large sum immediately. The policy should limit such transactions to relatively small amounts. Anything beyond that threshold must require further authorizations.
Similarly, with conﬁdential information such as IP or employee records, the policy should determine a chain of approvals before such information is released.
Many steps must dovetail closely together as part of an eﬀective prevention program.
IT should have measures in place to block sites known to spread ransomware, keeping software patches and virus signature ﬁles up-to-date, carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines, conducting regular penetration tests on WiFi and other networks to see just how easy it is to gain entry. These and many other security procedures will go a long way towards protecting your organization.
Procedures must also be developed to prevent CEO fraud. Wire transfer authorization is one scenario demanding careful attention. Set it up that any wire transfer requires more than one authorization, as well as a conﬁrmation beyond email. Phone, or ideally, face-to-face conﬁrmation should be included. That way, a spoofed email attack is thwarted as conﬁrmation is done on a diﬀerent channel. If by phone, only use a pre-existing number for your contact, not one given to you in an email.
The subject of time should also be part of the procedure. To guard against urgency injected by a cybercriminal into an email, standard procedure should call for a 24 hour waiting period before funds are transferred. This gives ample time for the necessary authorizations and side-checks for authenticity to be completed.
Cybersecurity has historically been treated as a technology issue. However, cyber-risk must be managed at the most senior level in the same manner as other major corporate risks. The CEO must fully understand the company’s cyber risks, its plan to manage those risks, and the response plan when the inevitable breach occurs. CEOs also must consider the risk to the company’s reputation and the legal exposure that could result from a cyber incident. CEO fraud must be part of the risk management assessment.
While this assessment is of a technical nature, it is more about organizational procedures. Executive leadership must be well informed about the current level of risk and its potential business impact. This is rarely the case within organizations inﬂicted with phishing and CEO fraud. Management must know the volume of cyber incidents detected each week and of what type. A policy should be established as to thresholds and types of incidents that require reporting to management.
In the event of an outbreak, a plan must be in place to address identiﬁed risks. This is another weak point in many organizations. Yet it is an essential element of preserving the integrity of data on the network.
Best practices and industry standards should be gathered up and used to review the existing cybersecurity program. Revise the program based on a thorough evaluation. One aspect of this is regular testing of the cyber incident response plan. Run a test of a simulated breach to see how well the organization performs. Augment the plan based on results.
Lastly, call your insurance company and go over the ﬁne print regarding your coverage. If no cyber insurance exists, acquire some rapidly. Go over the details of cybersecurity insurance to ensure it covers the various type of data breaches and includes the various types of CEO fraud. *
*Note: Normally human error like CEO fraud is NOT covered by cybersecurity insurance.
No matter how good your prevention steps are, breaches are inevitable. But user education plays a big part in minimizing the danger. Make it a key aspect of your prevention strategy.
Start by training staﬀ on security policy. Augment this by creating a simple handbook on the basics of security. This should include reminders to never insert USB drives from outside devices into work machines. It should also review password management, such as not reusing work passwords on other sites or machines.
As it represents one of the biggest dangers, phishing demands its own training and instruction. Let users know that hovering over email addresses and links in messages will show the actual email address or destination URL. Just because it says “Bank of America,” or “IT department” with all the right logos doesn’t mean it’s from that source. Add further instruction to not open unknown ﬁle types, click on links, and open attachments from unknown people or entities. Coach them into a suspicious frame of mind regarding requests to send in their passwords or account details. If for instance, educating a student body in this manner isn’t feasible, put them on a separate network and severely restrict their access to sensitive data
Security awareness training is strongly recommended. The best programs baseline click rates on phishing emails and harness user education to bring that number down. But again, don’t expect 100% success. Good employee education can reduce phishing success signiﬁcantly, but it won’t take it down to zero. There is always someone who doesn’t pay attention, is in a hurry that day, or is simply outsmarted by a very clever cybercriminal. Comprehensive data security best practices must also be in force.
Security awareness training is best accompanied by simulated phishing. The initial simulation establishes a baseline percentage of which users are phish-prone. Continue simulated phishing attacks at least once a month, but twice is better. Once users understand that they will be tested on a regular basis and that there are repercussions for repeated fails, behavior changes. They develop a less trusting attitude and get much better at spotting a scam email. Phishing should not just be blasts to all employees with the same text. What happens then is that one employee spots it and leans out of the cubicle to warn the others. Instead, send diﬀerent types of emails to small groups of users and randomize the content and times they are sent.
Security awareness training should include teaching people to watch out for red ﬂags. In emails, for example, look for awkward wordings and misspelling. Be alert for slight alterations of company names such as Centriﬀy instead of Centrify or Tilllage instead of Tillage. Hackers have gotten good at creating spoofed email addresses and URLs that are very close to actual corporate addresses, but only slightly diﬀerent.
Another red ﬂag is sudden urgency or time-sensitive issues. Scammers typically manufacture some rush factor or other that can manipulate reliable staﬀ to act rapidly.
Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information” are often used, according to the FBI.
Resolution and Restitution
Should a CEO fraud incident take place, there are immediate steps to take:
1. Contact your bank immediately
Inform them of the wire transfer in question. Give them full details of the amount, the account destination and any other pertinent details. Ask the bank if it is possible to recall the transfer. Get put in touch with the cybersecurity department of the bank, brief them on the incident and ask for their intervention. They can contact their counterparts in the foreign bank to have them prevent the funds from being withdrawn or transferred elsewhere.
2. Contact your attorneys
Inform your attorneys of the facts concerning an incident of CEO Fraud.
3. Contact law enforcement
In the U.S., the local FBI oﬃce is the place to start. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network may be able to return or freeze the funds.
When contacting law enforcement, identify your incident as “BEC,” provide a brief description of the incident, and consider providing the following ﬁnancial information:
- Originating Name
- Originating Location
- Originating Bank Name
- Originating Bank Account Number
- Recipient Name
- Recipient Bank Name
- Recipient Bank Account Number
- Recipient Bank Location (if available)
- Intermediary Bank Name (if available)
- SWIFT Number
- Amount of Transaction
- Additional Information (if available) – including “FFC”- For Further Credit; “FAV” – In Favor Of
4. File a complaint
Visit the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov to ﬁle your complaint. Victims should always ﬁle a complaint regardless of dollar loss or timing of incident at www.IC3.gov and, in addition to the ﬁnancial information (bullet points in the previous item), provide the following descriptors:
- IP and/or email address of the fraudulent email
- Date and time of incidents
- Incorrectly formatted invoices or letterheads
- Requests for secrecy or immediate action
- Unusual timing, requests, or wording of the fraudulent phone calls or emails
- Phone numbers of the fraudulent phone calls
- Description of any phone contact to include frequency and timing of calls
- Foreign accents of the callers
- Poorly worded or grammatically incorrect emails
- Reports of any previous email phishing activity
5. Brief the board and senior management
Call an emergency meeting to brief the board and senior management on the incident, the steps taken and further actions to be carried out.
6. Conduct IT forensics
Have IT investigate the breach to ﬁnd the attack vector. If an executive’s email has been hacked, take immediate action to recover control of that account such as changing the password. But don’t stop there, the likelihood is that the organization has been further inﬁltrated and other accounts have been compromised. Have them run the gamut of detection technologies to ﬁnd any and all malware that may be lurking to strike again.
7. Bring in outside security specialists
If the organization was breached, it highlights deﬁciencies in existing technology safeguards. These will prove harder for IT to spot. So bring in outside help to detect any area of intrusion that IT may have missed. The goal is to eliminate any and all malware that may be buried in existing systems. The bad guys are inside. The organization isn’t safe until the attack vector is isolated and all traces of the attack have been eradicated. This is no easy task.
8. Contact your insurance company
FBI data shows that less than 4% of CEO fraud funds are recovered. Therefore, it is necessary to contact your insurance company to ﬁnd out if you are covered for the attack. While many organizations have taken out cyber-insurance, not all are covered in the event of CEO fraud.
This is a grey area in insurance and many refuse to pay up. Many that have reported CEO fraud to their insurer, ﬁnd that this type of incident is not covered. Despite the presence of a speciﬁc cyber insurance policy, the unfortunate fact is that no hardware or software was hacked. It was the human that was hacked instead.
Insurance companies draw a distinction between ﬁnancial instruments and email fraud. Financial instruments can be deﬁned as monetary contracts between parties such as cash (currency), evidence of an ownership interest in an entity (share), or a contractual right to receive or deliver cash (bond). Many companies are covered in the event of a fraudulent ﬁnancial instrument.
However, CEO fraud is often categorized diﬀerently. It is regarded by some insurance ﬁrms as being purely an email fraud and not a ﬁnancial instrument fraud. In other words, it is being regarded in many cases as a matter of internal negligence or email impersonation as opposed to being a ﬁnancial instrument matter.
That said, there are dozens of carriers in the market providing up to $300 million in limits. Coverage extensions have developed to include both the third-party liability and ﬁrst-party cost and expenses associated with a data breach or cyber-attack.
9. Isolate security policy violations
For such an incident to happen, violations of existing policy are likely to be in evidence. Conduct an internal investigation to cover such violations as well as to eliminate any possibility of any collusion with the criminals. Take the appropriate disciplinary action.
10. Draw up a plan to remedy security deﬁciencies
When the immediate consequences of the attack have been addressed and full data has been gathered about the attack, draw up a plan that encompasses adding technology and staﬀ training to prevent the same kind of incident from repeating. Be sure to beef up staﬀ awareness training as a vital part of this.
There is no substitute for preparation when it comes to dealing with cybercriminals and the many ﬂavors of CEO fraud. View the CEO Fraud Prevention Checklist to guide you through the steps to protect the organization against this type of incident.
While those steps will greatly reduce the likelihood of an incursion, all it takes is one gullible or inattentive user to let the bad guys inside. In those cases where CEO fraud is being perpetrated, the CEO Fraud Response Checklist applies.
In the case of both checklists, security awareness training plays an essential role in creating a human ﬁrewall around your organization. Only when users are fully aware of the many facets of phishing will they be capable of withstanding the most sophisticated attempts at CEO fraud.