• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

Red Sift Blog

Democratizing technology essential for cybersecurity.

Red Sift Blog
  • redsift.com
  • Featured
  • About
  • Get in touch
You are here: Home / Email / A fish, whale and CEO walk into a bar

A fish, whale and CEO walk into a bar

by randal
March 17, 2020May 14, 2020Filed under:
  • DMARC
  • Email

Remember the good old days when fishing for info or money online was just called phishing? We’re an industry built on tech and science, but we do love our artsy synonyms and hyperbole. 

If you’ve ever had the pleasure of talking to Rois, our Head of Cyber Governance, you’ll know how she feels about the unreliability of research that looks at Business Email Compromise (BEC), whaling, friday afternoon scams, and CEO fraud as different types of incidents. IT’S THE SAME THING.

We recently posted a blog about BEC, and we’ve also talked you through whaling and spear phishing, so to close the circle of education on all these types of email threats, here’s a quick guide to CEO fraud. 

CEO fraud: the facts

Well firstly, you should know that the FBI calls it Business Email Compromise (cue intense eye rolling). Secondly, it’s not about CEO’s committing fraud. And finally, it’s not just about CEOs.

In an age when engagement and transparency are key to topping customer relations practices, most C-level executives will have a profile on a corporate website and social accounts combining marketing-approved streams of consciousness with the occasional personal opinion thrown in. It’s never been easier to build profiles of executives and impersonate their communication styles and that’s why CEO fraud is such an easy win for scammers.

Impersonating someone else in order to gain access to confidential information or money is the crux of the phishing attack, so CEO fraud simply extends that process to scammers masquerading as your boss with a c-level title and tricking you into committing a breach.

Common CEO fraud scenarios

  1. ‘CFO’ emails accounts to ask for a money transfer to be sent to a supplier – but the account details have changed and it needs to be action urgently. 
  2. ‘CEO’ emails HR to ask for a list of employees and associated financial information to be shared with a new payroll company
  3. ‘Partner’ at law firm asks paralegal to send conveyancing monies to a new account due to an internal error

In a recent report by the FBI, it reported that organizations lost an estimated $1.77 billion due to these types of attack and it’s clear to see why. Faced with an end-of-day email from the CEO marked ‘URGENT’, you’d be forgiven for acting on it immediately. Invoice scams are particularly prolific as they play on an employee’s fear of the potential consequences of an unhappy supplier, or partner that could put pause to the organisation’s operations.

Identifying and eliminating CEO fraud

The reason so many phishing attacks come to fruition is that scammers are no longer satisfied with using lookalike email domains, using a lower case ‘L’ for the letter ‘I’ for example. Today, domain impersonation is a simple hack and it makes it impossible for a recipient to identify that the email purporting to come from their CEO is actually a fake. 

Contrary to popular belief that email gateway protection, such as spam filters and appliances that weed out emails with malicious content, will protect organisations from domain impersonation, the only sure fire way to eliminate the threat is with an entirely different (less resource intensive) approach. In the last few years, we’ve seen a wave of action against email impersonation, and global protocols such as DMARC have been widely adopted to tackle email fraud. 

And your email defence toolkit just got more robust, with new monitoring tools, such as our own OnINBOX product, that alerts you to risks in your inbox – from unknown email senders, to unusual content. 

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Tagged:
  • BEC
  • CEO
  • Fraud
  • Phishing

Post navigation

Previous Post What does DMARC do for BEC in 2020?
Next Post Featured: Traxcn – Emerging Startups 2020: Top Big Data Analytics Startups

Primary Sidebar

Recent Posts

  • 2021 The Threat Landscape: Brand protection and BEC attacks lead the charge
  • OnDMARC Wins “Best-Of DMARC” Award On Review Platform Expert Insights
  • The case for embracing DORA
  • Red Sift – Closing the Net on the Phishing Problem
  • Beware of this common NHS Covid-19 Vaccine email scam

Archives

  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • November 2016
  • October 2016
  • February 2016

Categories

  • AI
  • BEC
  • Coronavirus
  • Cybersecurity
  • Deliverability
  • DMARC
  • Email
  • Finance
  • Labs
  • News
  • OnINBOX
  • Partner Program
  • Red Sift Tools
  • Uncategorized
  • Work @ Red Sift

Copyright © 2021 · Milan Pro on Genesis Framework · WordPress · Log in