What to Do About C-Level Fraud Attacks
C-level fraud attacks are an increasingly common vector, especially for SMBs. Generally, these attacks come in the form of spoofed emails from the “CEO” or another C-suite exec (actually an attacker who has gained access to that email address or who is using a fake email address that looks similar) and ask the recipient to wire money to the scammers. They often target folks in accounts payable or HR. These attacks use both urgency (please take an action NOW) and the power of the role (people tend to do what the boss says) in order to increase their effectiveness. They are quite similar to the W-2 phishing attacks we have written about previously.
We recently caught one of these attacks when an email recipient at one of our customers raised the alarm. Luckily, in this case, the attacker had not gained access to the CEO’s email account, and the emails sent to the recipient were spoofed from an AOL account. The attacker faked the CEO’s name in the From field of the e-mail (to make it look real) and then set a Reply-To to the attacker’s address so they could actually communicate with the victim.
After a lengthy conversation, the victim realized something was wrong and reached out to us for help. After determining that it was a CEO Fraud attack, we first alerted the organization to the fact that everyone who received one of these emails is a target. The attackers had identified them key employees of this organization, ones who might be able to successfully wire money to the attacker.
We warned the organization that these attacks will continue to happen. They will get better in quality. The attacker will uncover other people inside the organization to target as well, expanding who they go after, so it’s key to build a plan to stay protected.
How to Protect Against C-Level Fraud
Here are the recommendations we have for protecting any organization against C-Level fraud and other common attacks.
- Update Your Policies: Define (or re-define) your policy for both transfer of funds and providing sensitive employee information via email and the telephone. We recommend requiring a second communication (phone and e-mail, e-mail and personal visit) as company policy.
- Be Transparent: In all likelihood, the attackers will continue to go after folks in this organization, so it’s wise to remain vigilant at all times. Continue to provide user education and make sure everyone at the organization is aware that these types of attacks are happening and is keeping an eye out for fake emails. Above all, ask everyone in your organization to talk about phishing emails they get. It’s one of the best ways to educate your staff.
- Report It: You should report suspicious e-mails to Strongarm. We will immediately respond to the reporter with details about the type of phish, whether it’s a trend, and how you should respond. We also urge our customers to register a report with the Internet Crime Complaint Center (IC3), which will then be referred appropriate to federal, state, local or international law enforcement or regulatory agencies for possible investigation. I understand any investigation opened on any complaint I file on this website is initiated at the discretion of the law enforcement and/or regulatory agency receiving the complaint information. Keep in mind that if someone in your organization did fall victim and send money, filing a complaint with the IC3 does not serve as notification to your bank or credit card company that you are disputing unauthorized charges. If you fell victim, you should contact your financial institution directly to notify them.
- Change Your Passwords: If any email passwords of those involved have not been changed in the last two weeks, that is recommended. It’s also a good time to make sure you are using secure, differentiated passwords for all websites and services, and to consider implementing two-factor authentication and a password management program.
- Use Email-Based Protection: Firewalls and antivirus programs are no match for CEO fraud tactics. They pass right through these protections so it’s vital to use more advanced protection. Cloud-based email services sometimes have this baked in, so they’ll make you a bit safer. If you’re still running your own mail server, consider a product that will help you find and remove emails from fraudsters.
Ready to protect your organization against C-Level fraud and other common attack vectors?