For some time now, the term "CEO fraud" or "fake president" has been making the rounds. Observers estimate damages in the billions. The German Federal Criminal Police Office (BKA) also takes the threat extremely seriously and has launched an awareness campaign to warn against this new type of fraud.
But how exactly do criminals go about CEO fraud?? What tricks are used? And what can companies do to protect themselves and their employees from such fraud schemes?? Bernhard Hecker is Head of Product Management at Retarus and, as an expert, has been dealing with the subject of e-mail security for many years. In this interview, he answers the most pressing questions and gives important tips to IT managers.
What exactly is behind the buzzword CEO fraud??
Bernhard Hecker: CEO fraud is a scam in which cyber criminals pretend to be the CEO of a company and ask their victims to transfer large sums of money in fake e-mails. The unknown persons specifically address those employees who have access to sensitive data or are authorized to make payments. These can be, for example, assistants to the management or employees in the controlling and HR departments. They then receive an e-mail bearing the name of their own managing director as the supposed sender. The message usually announces an urgent, confidential transaction – for example, the acquisition of a company for which an immediate transfer of a large sum of money is necessary.
What is the typical content of such mails?? And how do the fraudsters get the necessary information for this??
Hecker: In order to appear credible, the senders use so-called social engineering to research the name and e-mail address of the company’s CEO as well as of persons who could be entitled to payment. This information is easy to obtain from publicly available sources such as company websites, press releases or trade register entries. Auto-reply mails with absence messages are just as useful to the fraudsters in their scam as social media posts: If the managing director is currently on a business trip to Asia, the e-mail may mention a company purchase there or even a claim for damages after a local car accident. The e-mail then exerts additional pressure on the recipient to act, with alleged deadlines or threatened lawsuits.
General vacation periods also provide an ideal environment for criminals. Meanwhile, almost all companies are working with reduced staff and a correspondingly weakened control environment. If the boss is on vacation, he or she is often not contacted personally out of consideration and the likelihood of a frivolous transfer is higher.
Which companies are particularly affected by CEO fraud?
Hecker: Generally, all company sizes are affected. It can be observed that fraudsters can accurately estimate the respective company size and even adjust the requested amount of money as well as the reason for the payment accordingly. However, small and medium-sized businesses are a particularly popular target for a different reason: while larger corporations usually have stricter protection or control mechanisms in place for large transfers, medium-sized businesses often lack clear processes and guidelines for this purpose. This makes companies of this size a preferred and promising target for attack.
How employees should react when the first suspicion of fraud arises?
Hecker: If in doubt, those affected should always seek personal contact with the supposed sender and have the payment instruction confirmed on another, independent communication channel – preferably in person by telephone. Recipients should refrain from written queries by e-mail. As a rule, the reply-to address does not match the correct sender address, but refers to the mailbox of any freemail provider. The e-mail thus does not end up with the real boss, but directly with the fraudster. This immediately signals to the attacker that a supposed victim has "bitten". The criminals now see good prospects of success and will intensify their efforts accordingly.
In addition, in the event of suspicion, the person concerned should immediately inform the relevant IT security officer in accordance with the internal IT guidelines and inform all employees authorized to make payments or the entire management team about the incident.
What if a fake mail has already been responded to?
Hecker: Those affected should immediately contact their local police station or the relevant state criminal investigation office. If a payment has already been made, authorized bankers should try as quickly as possible to stop the transaction at the bank or have the bank reverse any money that has already been transferred.
Which technical options can be used to prevent fraud incidents such as CEO fraud??
Hecker: As always, even the best IT security solution cannot replace employee training and education. To defend against a CEO fraud, companies should nevertheless use technical standards that can be used to check the authenticity of the sender if possible. The Sender Policy Framework, or SPF for short, and Domain Keys Identified Mail, or DKIM for short, are particularly worthy of mention here.
In addition, IT measures such as an e-mail security solution can provide additional security – even if such attacks are difficult to distinguish from legitimate mails due to their individually tailored messages for the victim. Security manufacturers such as Retarus are therefore working on technologies that automatically flag e-mails if technical discrepancies are identified in the sender information in the e-mail header.
What general protective measures can companies take in addition to IT security??
Hecker: As with all fraud schemes, the "human factor of insecurity" remains in the case of CEO fraud: companies should therefore regularly sensitize their staff to such attacks. The best way to do this is to use the most concrete examples possible. In addition to increased vigilance, clear, transparent rules also help. In the case of CEO fraud, companies can protect themselves, for example, by setting basic maximum limits for transfers and clearly defined control and approval processes.
Bernhard Hecker has been dealing with electronic corporate communications for over 25 years. Since 2005 he has been head of product management at Retarus. As an expert in security and data protection, he is also involved in the Bitkom and TeleTrusT associations.