Matt Davey, COO for 1Password
The number of security threats that businesses must protect themselves from can feel overwhelming. Now, a new one is on the rise: CEO fraud.
This occurs when a malicious actor outside the company sends an email from a spoofed address that appears to be from the head of the company (or another powerful C-Suite executive).
There are many different forms the email can take. Sometimes it arrives in an employee’s inbox, and it appears to be genuinely from the CEO’s email address — a perfect spoof. But the reply-to address is fake, and when the unwitting worker complies with the request, hackers gain access to information that compromises company security. Other forms of CEO fraud involve the email coming from Gmail, Yahoo, or another third-party email address that appears to be the CEO’s personal account.
Usually, the fraud email asks for an employee to take quick action to solve a problem or relieve pressure. The fake CEO may ask the employee to send over a password because they have been logged out of a necessary account. Or it may claim that the CEO needs to close a deal and ask the employee to wire a large sum of money to a bank account. These may sound like obvious fraud requests, but you might be surprised at how effective they are. Employees, who want to do well by and impress their CEOs, will often act quickly in response to these requests. And according to the FBI, this kind of fraud has cost companies $26 billion since 2016.
However, the good news is that there are concrete steps that any IT department can take in order to combat this type of malicious activity. The most important aspect of this is education.
Have a security structure in place that allows for easy password sharing
Hackers often take advantage of the fact that many organizations do not have standard practices for password storage and secure sharing. Email fraud works because employees aren’t aware of methods through which they can securely share passwords with one another. Therefore, receiving an email from the CEO asking for a password might be a little strange, but it might not raise any red flags, especially at a smaller organization.
One crucial way to stop employees from falling victim to this kind of fraud is to implement a method through which employees and C-suite executives alike can both store their passwords and share them securely with one another. Even if your company primarily uses SSO, this kind of tool can help combat fraud and provide an additional layer of security to fill in any gaps.
Educate employees about the ubiquity of this practice
When an employee joins your company, they should complete mandatory security training. Ensure that education about CEO fraud is included in this package. Employees should come away from the training aware of what CEO fraud is and what forms it can take, and it should be included in any regular yearly security briefings employees are required to take.
The most important thing to educate employees about is what CEOs will not ask for in an email. This becomes much easier if you have some sort of password management tool in place — employees know how to securely share passwords if necessary, so if they receive an email from a C-Suite executive requesting a password, the employee will immediately know it’s a fraud.
Likewise, there should be standard methods for approving payments and wire transfers. Employees who handle this kind of sensitive information should receive specific training on processes so they can immediately flag any emails that violate them. IT departments should also be reporting these kinds of phishing and fraud emails easily with a dedicated email address.
Educate CEOs about the ins and outs of email wire fraud
CEO fraud doesn’t stop with employee education, though. If CEOs routinely use insecure methods to obtain secure information (such as emailing an administrative assistant and asking for a password), then employees will fall victim to CEO fraud much more easily.
Not only do C-Suite executives need to be made aware of the hazards of CEO fraud, but they also specifically need education on what they should not ask for in an email, such as personally identifiable information, bank transfers, passwords, and other details. Don’t allow company heads to undermine internal security through insecure practices.
Additionally, you should encourage CEOs to send a company-wide email letting them know what kind of information or action requests should raise a red flag. You can find a template here.
By making combating CEO fraud a company-wide effort, IT departments will be much more effective at making sure these kinds of emails are immediately shut down. Employees are your best defence against breaches, hacks, and phishing attempts, and it’s important to make sure they’re armed with the information and tools they need to quickly identify, flag, and report these kinds of malicious emails.