Cybersecurity blog header

Tips to avoid becoming a victim of CEO fraud and other impersonation attempts

To avoid becoming a victim of CEO fraud, be wary of any suspicious communication ordering a transfer or disclosing information.

38 million euros. This was the haul made by a Franco-Israeli criminal network after impersonating several CEOs to defraud several European companies before being dismantled by a police operation led by Europol. This case shows how important it is for a manager to avoid falling victim to CEO fraud. This targeted social engineering attack triggers severe economic and reputational consequences for companies and professionals who fall into the criminals’ trap.

For example, a Valencia Municipal Transport Company (EMT) worker was a victim of this kind of scam in 2019. The criminals got her to authorise illegitimate payments worth 4 million euros. This professional was dismissed by the company and sentenced by the Court of Auditors to reimburse the stolen money. Almost five years later, she is still litigating to be exonerated from this conviction.

How does CEO fraud work, and who is affected?

Cybercriminals impersonate an organisation’s CEO to induce a third employee of the company to perform a specific behaviour, such as disclosing confidential business information or making a financial transfer, as happened in the case of EMT Valencia.

Like many digital risks, its development can be precarious, sloppy and easily detectable. But it can also be highly sophisticated, including:

  • An elaborate prior analysis of the person to impersonate.
  • The acquisition of domains is very similar to those used in their corporate conversations.
  • The use of Artificial Intelligence tools to perform voice or video deepfakes.

This variety of procedures has also led to a diversity of possible channels through which it is possible to receive fraud of this nature. The most common channels are:

  • Corporate email.
    Instant messaging applications.
    Telephone calls.
    Online office environments such as Teams, Slack or similar.

Regarding potential victims, criminals initially sought to contact middle management with the ability to make irregular transfers. Nowadays, however, there are also more careless and random contacts, so that any employee of an organisation can be involved in such an action.

It is also essential to note that CEO fraud is a type of scam that mainly affects both public and private organisations that operate on a commercial level, make transfers or have a network of suppliers.

What types of impersonation attempts exist?

Although, at a theoretical level, several types of frauds of this nature can be distinguished, their differentiation in practice can be more complex and dependent on the degree of social engineering used in their development:

  • CEO fraud
    • Potential victim: Employees of the organisation with access to the requested information.
    • Who is impersonated? The CEO or another position of responsibility.
    • Examples:
      • Requesting a transfer.
      • Requesting the purchase of a payment card-type item.
      • Inquiring about how to access a particular environment.
  • Whaling
    • Potential victims: Directors or high-profile executives.
    • Who is impersonated? Known and trusted entities.
    • Examples:
      • Summoning the victim to a fictitious meeting by sending them a malicious link infected with malware.
      • Intercepting and spoofing an email conversation to divert a wire transfer.
      • Requesting salary information from employees.
  • Business Email Compromise
    • Potential victim: Staff in finance, sales and purchasing departments.
    • Who is impersonated? Suppliers, customers and related parties, both known and potential.
    • Examples:
      • Requesting payment to a different account number than usual.
      • Requesting a purchase to a new shipping address.
      • Confirming new features in products that are still under development.

How can you avoid becoming a victim of CEO fraud?

Cybersecurity experts recommend companies and their professionals follow a series of guidelines and implement measures that can be essential to avoid becoming a victim of CEO fraud:

  1. Know about this kind of attack and be aware of its danger.
  2. Have protocols in place on how to act when faced with requests for sensitive information or when making a transfer or disbursement, regardless of the organisation’s size, because criminals also target smaller organisations. For example, at the end of 2023, a nursing home was scammed out of 20,000 euros.
  3. Pay special attention to emails with attachments or external links, not only to corporate accounts but also to personal accounts or those belonging to other institutions, such as universities or professional associations.
  4. Do not open external links or attachments in suspicious emails.
  5. Have anti-spam and anti-malware software.
  6. Identify domains and subdomains created by criminals to impersonate the organisation and block their communication internally.
  7. Conduct practical awareness exercises regularly and adapt existing protocols to the existing level of awareness.
  8. Make use of second-factor authentication (2FA) and secure password creation mechanisms.

Is it possible to detect clues to avoid becoming a victim of CEO fraud?

To carry out a CEO fraud or other kind of impersonation attempt, criminals need to induce their victims’ behaviour. This implies that practitioners in an organisation can detect five significant clues:

  1. A concrete indication of the behaviour to be performed next. For example, transferring money to a specific account or sharing login credentials.
  2. A degree of urgency, criticality or relevance of the action to be performed, thus encouraging it to be done in the shortest possible time.
  3. An indication of confidentiality regarding what is being requested is needed to avoid confirming through third parties whether the request is accurate or to prevent the victim from questioning the request.
  4. An unusual destination account number. This sign is prevalent in frauds where a regular contact, such as a supplier or service provider, is impersonated.
  5. Impersonation of a third party.
    • If the fraud is sophisticated, this impersonation may be sufficiently complex to be noticeable at first glance, as it may be using a legitimate email that has been compromised.
    • In other cases, it will be easy to spot minor variations in the email address or content URLs and the use of a new phone number.

How do you respond to a phishing attempt?

If an organisation’s professional detects any of these signs, he should act quickly to avoid becoming a victim of CEO fraud by taking the following actions:

  • Avoid interacting in any way with a suspicious message.
  • Do not provide confidential information, whether personal or corporate, in interactions with third parties not authorised to share this type of information.
  • Collect details of the fraud, such as email addresses or telephone numbers from which the suspicious communication was received.
  • Inform other staff in the company so that other professionals can avoid falling victim to the CEO’s fraud.
  • Bring it to the attention of the company’s IT or cybersecurity department so that mitigation measures can be put in place.
  • Have anti-fraud cybersecurity services in place to enable early identification of these attacks and assist in mitigating them.
  • Reporting the facts.

Ultimately, phishing attempts are a real threat that can cause companies millions in financial losses, damage their reputation and bring legal problems for successfully duped professionals. Therefore, organisations must have clear protocols in place to enable each of their professionals to avoid falling victim to CEO fraud and to raise the alarm at any sign of this kind of scam.

More articles in this series about Social Engineering

This article is part of a series of articles about Social Engineering

  1. Tips to avoid becoming a victim of CEO fraud and other impersonation attempts
  2. Phishing as a Service: Kits to steal money and data from companies
  3. What is SEO poisoning?
  4. Malvertising, when ads are a trap
  5. Whaling attack, when criminals think they are Captain Ahab
  6. The QR code scam and quishing: Be careful what you scan!