Like most employees, you don't think twice before opening an email from your CEO. Given the latest email scam making the rounds in the workplace, maybe you should. Statistics show that the spear phishing scam known as "CEO Fraud" has already racked up more than $2 billion in losses and victimized 12,000 individuals globally. Losses have averaged a median of $120,000 with the highest loss reported to be $90 million. What's more, because the money is often diverted to offshore accounts, it's nearly untraceable, much less recoverable.
Here's how it works: A fraudster, impersonating a C-level suite's persona and email address directs an employee to wire money to an overseas bank. As described by the Financial Times in its reporting of one of these scams, the fraudster explains to the employee that the transaction "takes priority over other tasks," is "highly sensitive" and, significantly, they should "only communicate with me through this email in order not to infringe SEC regulations." To the untrained eye all this sounds credible, especially when the Security and Exchange Commission's name is invoked.
So, what should employees watch out for so as not to be taken in by these fraudulent emails?
In CFO Magazine, Richard Barber suggests keeping an eye out for the following telltale signs:
- The greeting seems off. If the relationship between the CEO and the employee has always been friendly and conversational, but the greeting is formal and rigid, that should raise an immediate red flag.
- The tone is abnormal. Dovetailing with this overly formalized wording, things like numerous typos, international spelling differences and a voice or tone of voice that seems just a bit out of place, the recipient should evaluate the email with a jaundiced eye.
- It's an unusual request. If the CEO has never requested you to personally make a wire transfer on behalf of a vendor, especially one you don't recall having that kind of partnership with, that too should give you pause that it's illegitimate.
- There's an inconsistency in the typical chain of command. For example, if the CEO doesn't normally request payroll information from the payroll manager but has historically made those kinds of requests through the controller, the payroll manager might want to question whether that request actually originated from the desk of the CEO.
Of course, it's normal for employees to be responsive to their immediate management team and especially the CEO, fearing reprisal if they don't act quickly enough on the requests made of them. This may, in fact, prevent them from checking suspicious emails out with management and appearing to be lax in their duties - something the scammers count on when they target employees in the first place.
The same guidance for recognizing (and stopping) spear phishing in general applies to email scams like this one. While there are many sophisticated analytics tools which can vastly reduce the risk of spear phishing, a majority of the companies targeted are small organizations where a firewall and anti-virus software are considered sophisticated.
This is where security awareness, training, and education become extremely important, especially as it pertains to employees, such as finance and HR reps, who are handling the most sensitive data. With fraudsters constantly evolving and calibrating their attacks to maximize reward, it's important for employees to know that if something seems off to them they should bring it immediately to the attention of their supervisors without fear of reprisal, retribution or being rebuffed because of it.
Author: Heidi Bleau
Category: RSA Fundamentals, Blog Post
Keywords: Cybercrime and Fraud, Enterprise Security, Fraud, Phishing, Spear Phishing