The Federal Bureau of Investigation heeded caution from reports of an increase in CEO fraud email scams. CEO fraud occurs when a hacker fakes a message from the CEO of a company and attempts to persuade an employee to transfer funds to an unnamed beneficiary or provide private information of its employees.
This type of attack is especially dangerous because these fake emails often circumvent spam filters. Typically, a hacker will begin by phishing an executive's inbox or creating a domain with a similar name to that of the target. Rather than spamming a large number of targets, CEO scam emails are typically sent to one individual at a time.
This type of business email compromise has become a $3.1 billion threat, according to reports of losses since October 2013. The Internet Crime Complaint Center stated that it had received 15,688 reports of CEO fraud globally since January 2015, with combined losses of over $1 billion.
CEO fraud has been effective because hackers employing this method of phishing are patient. They take the time to research the communication and purchasing habits of the target organization, allowing them to craft an email that might seem innocuous to an unsuspecting victim.
Today, sensitive financial data is transferred all the time. This is the nature of the business world. Because businesses complete transactions on a daily basis, it is imperative that people understand existing risks, including fraud and theft. While there are preventative measures in place, hackers are working every day to steal data and money from hard-working people.
At the organizational level, businesses need to be smarter about preventing this type of theft, as CEO scams often target large sums of money. To help ensure greater control of finances, businesses can take the following preventative measures when appropriate:
- Restrict the access of a single individual to authorize payment; contact your bank to limit authorization to a list of approved payees
- Require additional verification for payments over a certain amount
- Require a phone call or in-person meeting to authorize payments
- Require a written purchase order with signatures from both parties
On the individual level, as an employee, it is critical to know where your emails are coming from, especially when money is involved. Be sure to verify the email address, ensuring that it is not one or two characters off from the correct email address. When in doubt, speak with the person who sent the email face-to-face or over the phone, verifying the sender's identity.