LIVE WEBINAR: Better Business With Smooth and Secure Onboarding Processes
Register Now!

What is CEO Fraud? – Attacks & How to Prevent Them

Robert MacDonald

CEO fraud attacks can destroy a company’s financial and reputational future but are there any ways to protect against these attacks? 

What is CEO fraud? CEO fraud, also called executive or whale phishing, is a type of phishing attack where a cybercriminal pretends to be a high-level executive and emails an employee requesting sensitive information, a wire transfer or login credentials.

What Is Social Engineering and Phishing?

Social engineering is using social interaction (phone calls, emails, conversations, messages) to fool individuals into parting with confidential information, including account access credentials, financial account information, and even money. 

The earliest attacks known to cybersecurity were considered social engineering, and currently, social engineering attacks like phishing are some of the most common forms of cyber threats in the world. 

Phishing is the act of using some messaging service to pretend to be another person or organization with the notion of triggering an individual to provide information. More specifically, phishing often refers to a limited set of approaches to social engineering that include:

  • Email Phishing: The most common form of attack involves attackers simply sending malicious emails to individuals. These attackers will pretend to be a prominent business, a bank’s support or fraud division, or even someone interested in working with the recipient for financial or employment purposes.

    These emails will most often include a call to action that involves clicking a malicious link or calling the number of a fraudulent call center. 
  • Video and Productivity Software Phishing: As more workers rely on collaboration software and video conferencing solutions, hackers are turning to these platforms to fool their targets. Some examples of fraud have been launched using messaging capabilities on software like Microsoft Teams, Skype, or Zoom.

An additional aspect of this attack is the use of Voice phishing through voice or video calls… However, these are much harder to pull off and are not typical.

  • SMS Phishing: While email is almost completely ubiquitous in modern computing, another prevalent technology is SMS text messaging. Many scam outfits are turning to SMS scams to send links or phone numbers directly to users’ phones, making these messages look authentically like they come from businesses or financial institutions. 

What Are the Prime Forms of CEO Fraud?

Many enterprise businesses make the mistake that phishing, or social engineering in general, is only successful against under-prepared employees. The understanding that executives have some purchase on avoiding social engineering attacks is demonstrably false, as we have seen with the rise of CEO fraud. 

CEO fraud, simply put, is a fraudulent social engineering attack against a CEO (or other C-level executives) to get them to provide access to company resources. 

In today’s digital world, there are a few forms of attack that serve as the foundation of CEO fraud:

  • Spear Phishing: Spear phishing is a form by which the attacker, rather than spray low-effort messages across an organization, researches higher-grade targets in management or with security access. These attacks are more likely to succeed because they will come with the convincing language, convincing the target of the legitimacy of the attack. 
  • Business Email Compromise (BEC): Another way to easily navigate a company’s messaging system is to compromise a user’s account and masquerade as a company member. This allows the hacker to bypass email screening systems and present more convincing phishing messages to employees and executives who, upon seeing an email from the company domain, will immediately trust it.
  • Executive Whaling: The evolved form of spear phishing, executive whaling is the process of researching the top-level executives of an organization to gather information on their habits, corporate structure, employee structure, interests, and daily routines.

    The hackers can use this knowledge to launch messaging attacks posing as, for example, internal financial managers who request wire transfers for thousands of dollars.

Executive whaling isn’t limited to email and often comes through advanced platforms where an executive may not expect an attack (such as video conferencing or productivity software). 

How Can I Prevent CEO Fraud?

While no organization has airtight security, it’s still possible to slow down or eliminate CEO fraud by addressing the issues that lead to organization access. Some ways to address fraud include:

  • Use Strict Authentication Controls: You must have strong authentication to prevent attacks. Biometrics, liveness testing, and identity proofing can all go a very long way towards cutting out low-level breaches that often lead to larger instances of CEO fraud.
  • Educate Executives About Fraud: We’ve already stressed that executives aren’t above falling for phishing attacks. Therefore, your security and compliance teams must put forward training and awareness materials for the C-suite to better understand how vulnerable they are if they ignore potential instances of fraud. 
  • Run Phishing Simulations: Security experts regularly run penetration tests and vulnerability scans to ascertain the strength of a system’s defense measures. A good test to run is to throw out phishing simulations, organized and operated by your internal IT team, to help expose weaknesses in the organization and raise awareness about solid cyber hygiene.
  • Use Inbound Email Security: Simple and easy, IT managers can deploy software that filters out a blocklist of external domains or only allows a safelist of emails to enter employees’ inboxes. Furthermore, email systems can be set up to raise visual alerts on emails coming from external sources–-while this doesn’t eliminate the problem but can raise warning bells for employees. 

Avoid Potential CEO Fraud Using Strong Authentication with 1Kosmos

While some instances of CEO fraud sneak through social means, strong authentication is a reliable way to prevent widespread phishing. From the top to the bottom, resilient and secure identity management and authentication system can mitigate account breaches and minimize the attack surface used to fool executives.

Current authentication platforms are working towards a comprehensive approach to this security… but 1Kosmos is already there. We bring together vital biometrics and decentralized, blockchain-powered identity management with intuitive user experiences that minimize poor cyber hygiene and weaknesses related to passwords. 

With 1Kosmos BlockID, you get the following benefits:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone. 
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user. 
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target. 
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK. 

To learn more about avoiding CEO fraud, read our whitepaper on how to Go Beyond Passwordless Solutions.