How To Address Business Email Compromise or “CEO Fraud” in Your Business

Entrepreneur

Fraudsters are constantly inventing new scams to outsmart the general public online.  The cleverest of this deceitful pack are always trying to one-up their competition by developing the wiliest and therefore most successful variations on online fraud. Business Email Compromise, or “CEO Fraud” is the latest popular scam.  It involves targeting businesses by impersonating the CEO or other key executives to fool employees into performing unauthorized tasks. If you receive an urgent email from your boss, you want to take action right away, correct?

Fraudsters can easily browse your company website and search through social media profiles to identify your key executives and other supporting staff such as finance, office administration, etc.. Most people reveal way too much information about their roles and responsibilities, their out of office detail and more. Thieves can, fairly effortlessly, harvest most of the information needed to put together a very targeted, very genuine appearing campaign for this purpose.

This can be a simple email appearing to come from the CEO asking for a reply with personal or confidential information,  asking to purchase gift cards, or in more sophisticated cases asking to execute a wire transfer or other highly sensitive financial tasks. This is a very easy type of fraud because it plays on an already established level of trust. Employees want to help. Most employees will drop what they are doing and prioritize a task like this from the CEO without question.  Identifying what is genuine and what is fraudulent is sometimes difficult.

Most of the time, the scam is identified after it is too late. According to the FBI – CEO Fraud has cost businesses in excess of $12.5 billion dollars and it’s growing.  It happens worldwide and is not specific to any country.

I’m often asked what are the top things businesses should spend their money on to prevent fraud and these types of scams. My answer is always the same. You can spend all the money you want on antivirus, intrusion detection, next-generation filters and other technologies, but all this technology will be nearly useless if you don’t focus on educating your staff first. If your staff is not aware of these scams and how to identify them, you’re vulnerable. I relate it to purchasing fancy locks for your house. If everyone in your house is not aware that you’re not supposed to open the door for strangers, the locks are useless.

Start with employee education and awareness. Employees are the weakest link in any cybersecurity program, but they can also be the greatest asset by serving as the first line of defense. Identify your most at-risk users and empower them with the knowledge and awareness to identify these scams early on.

In parallel, invest in technical controls, a security policy and procedures to formalize the process. Employee awareness cannot be a “Set it and forget it” type approach. Continuous reinforcement and testing are key. As threats and scams evolve, employees need to be made aware of how this impacts their roles. How do users stay on top of what to click on and what isn’t? To which requests it’s ok to respond?  Also, give them real examples of disasters and lost personal money that have resulted when employees elsewhere did not listen to warnings.  Who wants to lose $500, $1000 or more, and especially to willful, deceitful grifters, out for nothing but personal enrichment?

If your business does fall victim to one of these scams – stop and assess the situation. What information was put at risk? In recent cases, staff have shared employee W2 information and other company sensitive data. If your organization fell victim to an unauthorized wire being sent – contact your bank and law enforcement immediately. Preserve all evidence. This can be very embarrassing for the person who was the victim but encourage them to share all the details they are aware of and preserve all of the evidence:  Emails, wire confirmations etc. This will be needed for forensics and to try to track the fraudster. This will also help identify any gaps in your security program which can be used to strengthen your safety in the future.

The more that is reported and called attention to, the greater the chances that any future efforts to defraud employees will be discouraged.



Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The 20 Best Kurt Cobain Quotes That Apply to Business
John Mulaney
The 20 Best John Mulaney Quotes That Apply to Business
Colin Huang
10 Things You Didn’t Know about Colin Huang
Chamath Palipapitiya
10 Things You Didn’t Know about Chamath Palihapitiya
Vermont
How to File for Unemployment in Vermont
Utah
How to File For Unemployment in Utah
Tennessee
How to File for Unemployment in Tennessee
South Dakota
How to File for Unemployment in South Dakota
Cedar Point
The 20 Best Things to do in Sandusky, OH for First Timers
USS Alabama Battleship Memorial Park
The 20 Best Things to Do in Mobile AL for First Timers
San Augustin Church and Museum
The 20 Best Things to Do in Manila, Philippines for First Timers
Wineries in a Carriage
The 20 Best Things to Do in Temecula, CA for First Timers
INEOS Grenadier 3
10 Things You Didn’t Know about The INEOS Grenadier
2021 Dodge Durango SRT Hellcat
A Closer Look at the 2021 Dodge Durango SRT Hellcat
2021 Ford F-150 1
A Closer Look at the 2021 Ford F-150
2021 Ram Rebel TRX
A Closer Look at The 2021 Ram Rebel TRX
Montblanc Star Legacy
A Closer Look at The Montblanc Star Legacy Orbis Terrarum
A Closer Look at the Artur Akmaev Rise of the Blue Dragon Watch
A Closer Look at The Oris Carysfort Reef Limited Edition
MB&F Bulldog
A Closer Look at The The MB&F HM10 Bulldog
Rory McIlroy
How Rory McIlroy Achieved a Net Worth of $150 Million
Don Cheadle
How Don Cheadle Achieved a Net Worth of $35 Million
Rob Zombie
How Rob Zombie Achieved a Net Worth of $50 Million
Maddie Ziegler
How Maddie Ziegler Achieved a Net Worth of $5 Million