CEO fraud (commonly referred to as executive phishing or ‘whaling’) is when an attacker successfully impersonates a company executive in order to gain sensitive information or coerce a financial transaction from targeted executives or employees.
These well-planned attacks are specifically selected, coordinated, and socially engineered to appear as if the emails come directly from a corporate executive, such as the CEO, CFO, CIO, or other VIP.
Categorized as a type of business email compromise (BEC), FBI’s IC3 Internet Crime Report 2021 found that CEO fraud has resulted in:
CEO fraud/phishing can target anyone with an email account, but those at highest risk are executives and employees with access to sensitive or financial information. Targets of CEO email fraud may include people in the accounting department with access to bank and credit card information, IT reps with access to networks and passwords, or HR reps with access to employee data.
Fraudsters research corporate websites, records, blogs/articles, social media pages, LinkedIn, and other resources to identify target employees and how they may be coerced. The information gathered through this research is used to fabricate emails that appear to be authentic communications from a company executive.
These fraudulent emails that target high ranking executives attempt to mimic the tone of the company’s communication style, and typically accentuate urgency and confidentiality to motivate the employee to act and respond quickly without much thought or hesitation.
Sometimes the emails are sent while the executive is known to be out of the office, further reducing the likelihood of the employee walking down the hall to validate the request.
Attackers use various methods to perpetrate CEO fraud, such as:
Executive phishing attacks are substantially more difficult to spot than typical, widely-distributed phishing emails. The request appears to be legitimate and coming from a familiar executive, uses familiar tone, language, and company references, and in some cases may actually be emails from a hacked executive account.
Prepare your employees to watch for and identify CEO fraud (with Phishing Simulations or Security Awareness Training (SAT) tools if possible). Be cautious of:
Here is an example of a CEO fraud email:
CEO Fraud Email Example
Email filters won’t do much to prevent CEO fraud, as the email won’t typically contain a malicious link or attachment, or one that has been seen before. Employee training for recognition and verification is essential for CEO fraud prevention, but it’s also not enough.
A few tips for employees to prevent CEO fraud:
CEO fraud prevention requires not only a focus on human behavior, but also advanced technology.
See below to learn all about IRONSCALES™ award-winning CEO fraud protection tools.
IRONSCALES™ provides mailbox-level fraud and anomaly detection that DMARC-based and conventional Secure Email Gateways (SEG) can't detect. Our CEO fraud solution:
A researcher at IRONSCALES recently discovered thousands of business email credentials stored on multiple web servers used by attackers to host spoofed Microsoft Office 365 login pages.