Business email compromise and CEO impersonation is on the rise, and it puts the entire organisation at risk
One of the most successful cyber-attacks of 2022 is CEO fraud, also known as Business Email Compromise (BEC). According to the FBI’s Internet Crime Complaint Center 2021 report, this type of attack is one of the most profitable, and one that has seen a significant increase. It is also incredibly smart – cybercriminals impersonate the CEO or a high-level executive using email, deep fakes or audio files to trick staff into providing access to critical business information, systems or even authorising fraudulent payment transactions. It is, says Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 AFRICA, pervasive and smart, and it asks that companies pay very close attention to security protocols that are designed to mitigate this threat.
“This type of fraud is one of the most prolific at the moment, probably because it has been so successful,” she explains. “Essentially, the cybercriminals either spoof or compromise the CEO/ executive’s email and then use this to send instructions to key employees. Sometimes they even combine these messages with voice notes using deepfake audio to mimic the executive’s voice, and instruct employees to transfer money or provide password information or give them access to certain systems. The fake CEO is so convincing that employees do exactly as they are told.”
BEC is usually financially motivated. The hackers use the world’s reliance on hybrid and remote working, and virtual meetings, to make millions. According to the FBI, the price tag attached to BEC scams exceeded $43 billion in 2022, and that these types of attacks now make up 35% of all cybercrime losses. Their success rate is high because the attack vector works purely on social engineering a human and without the use of any malicious software. Attackers play the long game when it comes to penetrating the systems and gaining access to the CEO’s emails.
“It usually starts out with a phishing campaign,” says Collard. “Users in the company are targeted with phishing emails that ask them to enter information into very realistic-looking websites. These emails are designed to lure employees in so that they accidentally hand over their account details to the cybercriminals. Once the latter have those, they enter into the company system, and attempt to compromise the CEO or other people at the executive level, such as the Chief Finance Officer (CFO). Once there, they can build compelling BEC scams sending emails directly from the compromised accounts.”
Once the hackers have access to the CEO’s email system, the chances of them succeeding at siphoning millions from the organisation go up exponentially. And the sums of money that they are stealing are eyewatering, especially considering their target markets. The FBI report found that banks were the most common targets, especially those located in Thailand, Hong Kong, Mexico and Singapore. According to a recent Trend Micro report, respondents believe that the top cyberthreat of 2022 was BEC and that they saw an increase of successful cyber-attacks from 84% to 90%.
“The problem is, this type of attack is so easy to perpetrate once you have all the right information,” says Collard. “Who can argue with the CEO if they are messaging you and asking you to make an urgent payment because they are busy boarding a plane? Or with an email that asks you to pay a supplier urgently? People get nervous and try and do the right thing – they want to impress the boss. That is why this attack is so effective. Who would say no to the CEO?”
Overcoming the threat requires both financial controls such as segregation of duty so that no single person is responsible for every stage in the payment process as well as awareness training. This involves constant reminders and awareness training across every level of the company that underscores the insidious nature of social engineering and the risks of BEC.
“Training and awareness are absolutely the best line of defence against the BEC attack,” concludes Collard. “This can potentially stop the initial phishing attempt that exposes the CEO’s information in its tracks, and, if that fails, it can even prevent the payment from taking place because the employee is asking the right questions instead of racing to do what they are being told. If people are aware of how these scams are perpetrated, they can make informed decisions that can save the company millions. (