Two of the world’s largest online businesses have become the latest victims of “CEO fraud”, in which crooks pose as senior executives of a business and order more junior members of staff in finance or accounts to make payments to another company. Google and Facebook said last week that they had both been caught out by a scam thought to be worth as much as £77m, though both companies have recouped at least some of their losses.
If online criminals now have the skills to dupe these supposedly tech-savvy internet giants, most other businesses are potentially vulnerable. And while high-profile cases make all the headlines, it is small- and medium-sized enterprises (SMEs) that are most routinely targeted by scammers – and which can be the most vulnerable to attacks.
Online attacks of all kinds now pose a huge threat to SMEs, with one in five businesses having been targeted over the past year, according to the British Chambers of Commerce. However, the rise in CEO fraud is especially worrying, with criminals employing sophisticated techniques to impersonate key executives convincingly.
Staff believe that they’ve been given instructions by the boss – and are often told the payments are emergency transactions to avoid a contract being breached or to settle a legal dispute before it escalates – so they transfer the money promptly, only to discover later that the orders were fake and money has disappeared.
It’s easy to dismiss these threats as only affecting the careless, but keep in mind that such deceptions are typically well planned and carefully executed. Attackers often spend months researching who in an organisation has the authority to authorise payments to third parties, as well as who has the clearance to action such orders.
They often track the executive’s movements – so they can strike while the person is travelling, for example – and they may look for new employees in a finance department, who may be unfamiliar with company procedures. Often, the person targeted will be told the transaction is highly sensitive and must be kept confidential, even from close colleagues.
While that may sound difficult to pull off, too many companies make it easier for criminals to strike – for example, by publishing extensive information about key people, including roles and contact details, on corporate websites. Social media is another key target for attackers seeking information, with company employees routinely disclosing key information about what they do, as well as when they’re going on holiday or will be out of the office.
How to defend against imposters
Cyber criminals can be convincing and no single line of defence will protect your business from fraud. However, it’s crucial to encourage your staff to develop a healthy sense of scepticism. They need to be prepared to question instructions and approaches they receive, even where the communication shows every sign of being genuine. In addition, consider the following action points:
• Make sure that your organisation has policies in place that require additional checks to be carried out before a transfer worth more than a certain amount can be made. No one person should have the authority to sign off on a large transfer of funds single-handedly.
• Encourage extra vigilance at key times. Many CEO frauds are launched late on a Friday or just prior to public holidays, when attackers know attention levels are at their lowest and senior staff absences may be more common.
• Consider carefully what information your company puts into the public domain about who is responsible for finance, particularly on corporate websites.
• Remind people at every level of the business of the dangers of sharing too much information online, including on social media and personal blogs.
• Inform everyone within the organisation if you have been targeted by CEO fraud. While you may have seen through the attempt, sharing details will enable you to highlight everything wrong with it and encourage your staff to be wary in the future.
• Conduct monitoring with domain registration services. If someone is trying to register domain names similar to your own business, they may be trying to acquire convincing email or website addresses in preparation for an attack.