CEO fraud is a type of financial theft attack in which criminals impersonate a CEO or other C-level executive to obtain sensitive data or money. The perpetrators often trick a finance or human resources employee into executing unauthorised money transfers or sending confidential tax and payroll information. By posing as the CEO or other senior figures, the attacker guarantees that the malicious email gets employees’ attention. Many employees are reluctant to question a request from their CEO, so they usually provide the information.
The U.S. Federal Bureau of Investigation (FBI) categorises CEO fraud as a business email compromise (BEC) scam. BEC uses various techniques, including social engineering, compromising legitimate business email accounts, malicious software to access inboxes, and other computer intrusion tactics.
A growing threat
The number and impact of BEC scams continue to increase. The FBI reported a 65% increase in global losses from BEC between July 2019 and December 2021. According to the same report, data collected from the FBI Internet Crime Complaint Center, law enforcement, and financial institutions revealed that the scams cost victims more than USD $43 billion in 2021 and involved fraudulent transfers to banks from over 140 countries.
Breach reporting is not always mandatory, meaning the actual numbers could be much higher. Many victims are also embarrassed to report these cybercrimes as they may feel foolish and want to avoid reputational damage. The criminals rely on this shame to mask the staggering losses resulting from BEC.
Identifying and compromising CEOs
The perpetrators use platforms like LinkedIn and company websites to identify CEOs and senior executives and obtain their contact details. They then use email or messaging platforms such as WhatsApp to contact the targets and attempt to hijack their accounts. With a stolen email or messaging account, the attacker has access to the executive’s contacts and can use the same scam with CEOs and senior executives at other companies.
Spoofing sender details
There are two common tactics for manipulating sender information in CEO fraud emails:
- In name spoofing, the attacker uses the name of the…