Fake Email: The summer holiday is precisely when hackers are extra creative and send urgent requests on behalf of the CEO. Don’t fall into the trap!
“Good morning.
We need to make a payment to a company in the UK.
What information do you need to make the payment? Can you do it today?”
Emails with similar wording to the above tick into the inboxes of Danish companies several times a year. They are short, precise, and have only one purpose: to get the recipient to fall into the trap and start a dialogue that can have fatal consequences for the company.
It’s high season for CEO fraud, also known as Business Email Compromise (BEC), a growing threat to companies worldwide. Cybercriminals exploit companies’ trust and organizational structures to trick employees into transferring money or disclosing sensitive information.
“We receive CEO fraud several times a year ourselves. It’s an advantage that we know each other well, and not least how our CEO normally communicates. But they (the hackers) are getting better and better – and I can easily imagine that if you are in a large organization with many employees who might not be very close to their CEO, then it can be easy to fall for it,” says CFO Jan Rasmussen, CapaSystems.
In this blog post, we explain CEO fraud and provide good advice on how your company can effectively protect itself against this type of scam, such as spotting a fake email immediately.
What is CEO fraud?
CEO fraud is a type of scam in which a hacker pretends to be a company’s CEO or other high-ranking executive to trick employees into performing actions that serve the hacker’s purposes. These actions can include transferring money to a fake account or disclosing sensitive company information. The fraudsters often use social engineering and email spoofing to make their messages look credible.
Typical characteristics of CEO fraud
- Urgent Requests: Scam emails often contain pressure and urgency, indicating that the request must be handled immediately.
- Secret Transactions: The requests often imply that the transaction must remain confidential and not be discussed with others.
- Irregular Email Addresses: The email address may differ slightly from the legitimate address (e.g., using .net instead of .com).
Good advice to protect your company against CEO fraud
Education and Awareness:
- Regular training for employees on recognizing scam emails and social engineering techniques.
- Educate employees about the typical characteristics of CEO fraud.
- Possibly distribute the Police’s brochure to selected employees. (in danish)
Verification Procedures:
- Implement two-factor authentication for all financial transaction requests.
- Verbal or face-to-face verification is required before executing major financial transactions.
Email Security:
- Use advanced email filters and threat detection systems to block suspicious emails.
- Implement DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent email spoofing.
Security Policies:
- Establish and communicate clear policies for handling financial requests and sensitive information.
- Ensure all employees know and follow these policies.
Regular Checks:
- Conduct regular security checks and audits to identify and remedy vulnerabilities.
- Monitor financial transactions closely to detect suspicious activities.
CEO fraud is a severe threat with significant financial and reputational consequences for companies. By following the above advice and implementing robust security measures, your company can reduce the risk of falling victim to this type of scam.
We wish everyone a really good (and safe) summer with less chance of being tricked by a fake email from the boss 🌞