What is CEO Fraud?

What is CEO Fraud?

CEO fraud (commonly referred to as executive phishing or ‘whaling’) is when an attacker successfully impersonates a company executive in order to gain sensitive information or coerce a financial transaction from targeted executives or employees. 

These well-planned attacks are specifically selected, coordinated, and socially engineered to appear as if the emails come directly from a corporate executive, such as the CEO, CFO, CIO, or other VIP.

Categorized as a type of business email compromise (BEC), FBI’s IC3 Internet Crime Report 2021 found that CEO fraud has resulted in:

• More than a third of all cybercrime
• US business losses of $2.4 billion in 2021, 33% more than 2020
• Losses of $26 billion between 2013-2019

How does executive phishing work?

CEO fraud/phishing can target anyone with an email account, but those at highest risk are executives and employees with access to sensitive or financial information. Targets of CEO email fraud may include people in the accounting department with access to bank and credit card information, IT reps with access to networks and passwords, or HR reps with access to employee data.

Fraudsters research corporate websites, records, blogs/articles, social media pages, LinkedIn, and other resources to identify target employees and how they may be coerced. The information gathered through this research is used to fabricate emails that appear to be authentic communications from a company executive. 

These fraudulent emails that target high ranking executives attempt to mimic the tone of the company’s communication style, and typically accentuate urgency and confidentiality to motivate the employee to act and respond quickly without much thought or hesitation. 

Sometimes the emails are sent while the executive is known to be out of the office, further reducing the likelihood of the employee walking down the hall to validate the request.

Attackers use various methods to perpetrate CEO fraud, such as:

• Spear-phishing - Creating fraudulent emails targeted toward a specific employee with access to sensitive or financial data.
• Name Spoofing - Impersonating an executive’s email by using their name in an email address (though, for example, the email domain may be off by a letter). Attackers will also use trusted websites, services, or platforms that have email notification or comment  functionality such as Dropbox, Google Docs, Asana, Trello or even something like Evite. 
• Email Spoofing - Manipulating the source (executive) email address so that both the name and email domain appear legitimate to the employee target.
• Social engineering – Using various means (often based on information gathered through online research) to trick someone into providing information. Attackers may use a combination of email, texts, or other methods to coerce the employee into thinking they’re communicating directly with a company executive.
  
  

How to identify CEO phishing attacks

Executive phishing attacks are substantially more difficult to spot than typical, widely-distributed phishing emails. The request appears to be legitimate and coming from a familiar executive, uses familiar tone, language, and company references, and in some cases may actually be emails from a hacked executive account.

Prepare your employees to watch for and identify CEO fraud (with Phishing Simulations or Security Awareness Training (SAT) tools if possible). Be cautious of:

• Requests for a financial transaction, particularly those that stress urgent, immediate action
• Any email that requests sensitive, proprietary information or demands secrecy
• Requests for transactions that indicate the sender is unavailable to talk or respond
• Spoofed names or email domains (e.g., always check the spelling of the name and the domain)
• Reply-to address that may be different from the sent-from address
• Requests for payments/transactions that include new accounts
• Unfamiliar links in an executive email
• Intent and tone of the email - does it sound like your executive?

Here is an example of a CEO fraud email:

CEO Fraud Email Example

How to prevent CEO fraud

Email filters won’t do much to prevent CEO fraud, as the email won’t typically contain a malicious link or attachment, or one that has been seen before. Employee training for recognition and verification is essential for CEO fraud prevention, but it’s also not enough.

A few tips for employees to prevent CEO fraud:

• Don’t rush! Don’t be pressured into a quick response just because an executive sends an urgent email. This is the exact intent of the attacker.
• Verify any request for a financial transaction or sensitive information.
• Independently check bank details for any transaction request to ensure that they are not new or amended. 
• Carefully manage what you reveal on social media about your company.
• Be aware and selective of what information you provide on your website about your suppliers (and what suppliers may have on their site about your company).
• Be aware of executive travel schedules, especially if they are using automated out-of-office replies.
• Never click on links or attachments from unknown sources.

CEO fraud prevention requires not only a focus on human behavior, but also advanced technology. 

See below to learn all about IRONSCALES™ award-winning CEO fraud protection tools. 

Learn more about enterprise CEO fraud protection from IRONSCALES™

IRONSCALES™ provides mailbox-level fraud and anomaly detection that DMARC-based and conventional Secure Email Gateways (SEG) can't detect. Our CEO fraud solution:

• Prevents spoofing by creating a unique sender “fingerprint” for each employee. This is accomplished by analyzing “sent-from” IPs, communication context and habits, and other factors. Any deviation from the norm is detected immediately. 
• Leverages Natural Language Processing to flag commonly-used BEC language.
• Incorporates DMARC, SPF, and DKIM email authentication validation.
• Uses AI and machine-learning to continuously study every employee’s inbox and detect anomalies for both email data and metadata.
• Automatically quarantines any detected anomaly in real-time, and visually flags the email subject line and body with guidance for the employee (see example below).
• Adapts with sophisticated social engineering developments using AI, machine learning, and crowdsourcing techniques.