What is CEO Fraud?
CEO fraud is a type of BEC where criminals impersonate a CEO in an attempt to trick employees into paying invoices, sharing sensitive information, or otherwise compromising a company’s cybersecurity infrastructure. CEO fraud is also known as executive impersonation.
CEO fraud is a type of spear phishing attack where a criminal impersonates a company’s CEO or high-ranking executive to con other employees, partners, or vendors into a scam. Criminals can impersonate or take over a legitimate email account and use it for CEO fraud.
CEO fraud is a subset of business email compromise (BEC) that specifically impersonates executive-level employees. Meanwhile, BEC attacks can impersonate any trusted contact like a vendor, partner, or coworker, rather than just executives.
These attacks can have a devastating impact on a business, as urgent requests from an executive can trick even the most security-aware employee.
How Does CEO Fraud Work?
Like other spear phishing campaigns, a CEO fraud attack targets specific employees by sending a personalized email to trick the person into sharing sensitive information or installing ransomware on their computer. The fraudulent emails impersonate CEOs and executives, exploiting trusted relationships and using social engineering tactics to successfully execute a campaign.
It’s successful because employees may overlook suspicious requests when they come directly from an executive. These requests come with time-sensitive urgency–"please pay this invoice immediately!”–and employees don’t want to disappoint an important higher-up.
The first step a criminal takes to launch a CEO fraud phishing campaign is to obtain an email address. There are three ways a criminal may do this:
Take over the authentic email account of the CEO. This takes a bit more work, but if successful, victims rarely question an email sent from the CEO's actual email address. Criminals may take over an account with a credential phishing attack.
Use domain name deception to create a similar email address to the real one. Criminals will often register domains that are off by one character or look related to the real email address. Then they use those domains to send fraudulent emails.
Use display name spoofing to have the name look real, but the email address is clearly wrong. It’s easy to look at the display name rather than the actual email address to ensure authenticity, so it may be sufficient for criminals to only use a display name that looks legit.
Design email headers that look similar to the real email header used by an organization, as part of an email spoofing tactic. This is another step in making emails appear more authentic to a recipient.
Once a criminal has control of an executive’s email account (or at least a passable impersonation), they can commit CEO fraud with a spear phishing attack.
Depending on the criminal's intent, they can send different types of emails with the goal of stealing personal information, billing fake invoices, or installing ransomware on a network system.
How to Identify CEO Fraud
Executive impersonation is costly for organizations. According to the FBI's 2021 Internet Crime Report, BEC scams caused a $2.4 billion loss for organizations.
Companies should make preventing CEO fraud and BEC scams a priority. This requires regular training on cybersecurity and spotting fraudulent emails. Here are some telltale signs that an email isn't authentic:
Sudden emails that ask for a money transfer, gift cards, or an invoice to be paid. Compare the email to other emails with similar transactions and look for unusual anomalies that could raise a red flag. This includes new deposit information and irregular billing schedules.
Double-check the display name and email address to ensure authenticity. Even if it's authentic, it may come from a compromised account. You can confirm the request using another method like calling a trusted phone number or asking in person.
Urgent language is another sign of email scams. Criminals don't want you to take the time to think about the request and will often demand actions be taken immediately.
How to Stop CEO Fraud
Security awareness training is vital, but not enough on its own. Organizations should also build a robust cybersecurity stack. Here are some steps you can take to protect your end users from CEO fraud:
Set up a reporting procedure for employees to mark suspicious emails.
Don't click on links or attachments on suspicious emails until emails are verified as authentic.
Require multi-factor authentication on accounts.
Implement advanced email security software that detects social engineering email attacks.
Traditional email security like secure email gateways and Google and Microsoft’s built-in email protection don't catch social engineering tactics common in CEO fraud. But modern email security (like Abnormal) can detect urgent language, unusual requests, and suspicious behavior in emails.
Abnormal Security vs. CEO Fraud
Abnormal Security can block emails that appear to come from trusted executives. It scans emails for signs beyond traditional indicators of compromise, including:
Detecting suspicious language and tone.
Inspecting email headers for spoofed domain names.
Understands communication patterns to detect suspicious behavior.
Abnormal prevents employees from even getting the chance to accidentally interact with email scams like CEO fraud.
Abnormal uses natural language processing to evaluate the authenticity of an email. Abnormal evaluates the behavior of email senders and recipients to notice unusual patterns, like untimely invoices and urgent requests.
Advanced email security stops CEO fraud and other phishing attacks from successfully reaching your employees' inboxes. Request a demo to see how we do it.