CEO fraud (commonly referred to as executive phishing or ‘whaling’) is when an attacker successfully impersonates a company executive in order to gain sensitive information or coerce a financial transaction from targeted executives or employees.
These well-planned attacks are specifically selected, coordinated, and socially engineered to appear as if the emails come directly from a corporate executive, such as the CEO, CFO, CIO, or other VIP.
CEO fraud/phishing can target anyone with an email account, but those at the highest risk are executives and employees with access to sensitive or financial information. Targets of CEO email fraud may include people in the accounting department with access to bank and credit card information, IT reps with access to networks and passwords, or HR reps with access to employee data.
Fraudsters research corporate websites, records, blogs/articles, social media pages, LinkedIn, and other resources to identify target employees and how they may be coerced. The information gathered through this research is used to fabricate emails that appear to be authentic communications from a company executive.
These fraudulent emails that target high-ranking executives attempt to mimic the tone of the company’s communication style and typically accentuate urgency and confidentiality to motivate the employee to act and respond quickly without much thought or hesitation.
Sometimes, the emails are sent while the executive is known to be out of the office, further reducing the likelihood of the employee walking down the hall to validate the request.
Attackers use various methods to perpetrate CEO fraud, such as:
Executive phishing attacks are substantially more difficult to spot than typical, widely-distributed phishing emails. The request appears to be legitimate and coming from a familiar executive, uses a familiar tone, language, and company references, and, in some cases, may actually be emails from a hacked executive account.
Prepare your employees to watch for and identify CEO fraud (with Phishing Simulations or Security Awareness Training (SAT) tools, if possible). Be cautious of:
Here is an example of a CEO fraud email:
CEO Fraud Email Example
Email filters won’t do much to prevent CEO fraud, as the email won’t typically contain a malicious link or attachment, or one that has been seen before. Employee training for recognition and verification is essential for CEO fraud prevention, but it’s also not enough.
A few tips for employees to prevent CEO fraud:
CEO fraud prevention requires not only a focus on human behavior but also advanced technology.
See below to learn all about IRONSCALES™ award-winning CEO fraud protection tools.
IRONSCALES™ provides mailbox-level fraud and anomaly detection that DMARC-based and conventional Secure Email Gateways (SEG) can't detect. Our CEO fraud solution:
Get a demo of IRONSCALES™ today! https://ironscales.com/get-a-demo/
This guide gives email security experts an exclusive access to Gartner® research to ensure their existing solution remains appropriate for the evolving landscape.
Data shows organizations deploy defense-in-depth approaches ineffective at addressing BEC attacks. Discover truly effective strategies in this report.