One of the most common types of social engineering is CEO fraud. This is typically a targeted attack where a fraudster impersonates the CEO or another senior executive within an organisation and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason. Even traditional businesses who might not think they have a strong cyber exposure can lose thousands in attacks like this.
CFC’s latest cyber claims case study tells the story of a manufacturer who fell victim to CEO fraud and the financial fallout the company experienced as a result.
The key takeaway points are:
- CEOs and senior executives are prime targets for cybercriminals. They tend to act as the face of their respective companies and have bigger profiles on company websites and social media accounts, allowing cybercriminals to gather valuable information about them. Cybercriminals also know that employees are instinctively less likely to question instructions from senior executives. CEOs and senior executives therefore need to be especially conscious of sticking to good cybersecurity practices, and employees need to be particularly alert to suspicious emails and have robust authentication procedures in place.
- Cybercriminals are becoming increasingly sophisticated. In the past, it was not uncommon to see blatant attempts at funds transfer fraud over email, with an urgent appeal for help or bogus prize give-aways being just two examples. Now, however, we are seeing far more nuanced attacks, with fraudsters sending convincing credential phishing emails to gain access to email accounts, setting up forwarding rules on email accounts to avoid detection and making use of seemingly legitimate invoice templates to add authenticity to their scams.
- Lots of businesses don’t think they need to purchase cyber insurance because they believe they have good IT security in place, such as firewalls and anti-virus software. But this ignores the fact that people are often the weakest link in an organisation’s IT security chain. With increasingly sophisticated attacks like this on the rise, it makes it difficult for employees to tell the difference between a real email and a fake email or a real invoice and a fake invoice, and it makes the chances of a successful social engineering attack against a business increasingly likely.