Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
CEO fraud is a type of cyberattack in which a fraudster impersonates a company executive via email. This could be your CEO, CFO, Head of HR — or anyone with the power to ask employees to make payments.
As we’ll explain below, there are several different methods used by cybercriminals to carry out a CEO fraud attack. But they all have one thing in common: money.
Most often, a CEO fraud email will urgently request the employee to pay a supplier’s “invoice” using new account details. Cybercriminals use sophisticated techniques and meticulous research to make the attack as persuasive as possible.
Why do cybercriminals impersonate CEOs and other high-level executives? Two reasons:
There’s some confusion about CEO fraud and how it relates to other types of cybercrime. Let’s clear a few things up before looking at CEO fraud in more detail.
CEO fraud is related to the following types of cybercrime:
These types of cyberattack all utilize email and impersonation—two critical elements of a CEO fraud attack.
CEO fraud is not to be confused with “whaling”: a phishing attack where the cybercriminal targets—rather than impersonates—a CEO or other senior company employee.
More on that in this article: Whaling: Examples and Prevention Strategies.
As explained above, CEO fraud is related to Business Email Compromise. That’s because the attacker needs to make it look like they’re a senior employee of your company—so any email they send must appear to have come from a company account.
There are three main ways cybercriminals can compromise a CEO’s email account:
Once the threat actor has taken control of a CEO’s email account—or has convincingly impersonated their email address—they use one of the following techniques to attack the target organisation:
Now let’s take a look at an example of a CEO fraud attack to help you better understand the process.
Like all social engineering attacks, CEO fraud attacks exploit people’s feelings of trust and urgency. When the CEO is “in a meeting” or “at a conference” and needs an urgent favor, employees don’t tend to second-guess them.
Here’s how a CEO fraud email might look. Now, for the sake of the example, imagine your boss is Thomas Edison. Yes, that Thomas Edison.
There are a few things to note about this CEO fraud email:
There’s one more thing to note about the email above. Look at the display name — it’s “Thomas Edison”. But anyone can choose whatever email display name they want. Mobile email apps don’t show the full email address, leaving people vulnerable to crude “display name impersonation” attacks.
Cybercriminals can also set up a fake email domain impersonating your company’s real domain name. The domain is the part of the email address after the “@” sign. A cybercriminal impersonating Bill Gates, for example, might purchase a domain such as “micros0ft.com” or “microsoft.co”.
Likewise, using “freemail impersonation”, a less sophisticated attacker might simply set up an email account with any free email provider using the CEO’s name (think “email@example.com”). It sounds crude, but such attacks really can work.
It’s fair to say that cybercrime has gone into overdrive in recent years.
Data from the FBI’s Internet Crime Complaint Center (IC3), released March 2021, shows a record-breaking number of cybercrime complaints in 2020.
The IC3 reports a 69% increase in the number of complaints since 2019, with reported losses exceeding $4.1 billion dollars. The main cause of cybercrime reported to the IC3 was—you guessed it—phishing.
So it’s clear that cybercrime, particularly phishing, is pervasive—and increasingly so.
But what about CEO fraud itself? CEO fraud once dominated the cybercrime landscape. However, there is some evidence that cybercriminals are moving away from CEO fraud and towards a broader range of more sophisticated social engineering attacks.
In 2020, the FBI noted that while CEO fraud previously dominated BEC, cybercriminals now impersonate a broader range of actors, including vendors, lawyers, and payroll departments.
And a report by UK Finance suggests that while CEO fraud is still among the main eight types of fraud attacks targeting consumers and businesses, there was a 14% percent drop in CEO fraud attacks between the first half of 2020 and the first half of 2021. (So it’s not all doom and gloom…)
But CEO fraud is still a big deal. And as with all other types of social engineering attacks, there’s evidence that CEO fraud attacks are becoming more sophisticated and easier for threat actors to carry out.
For example, in March 2021, a CEO fraud “phishing kit” was discovered that enabled cybercriminals to easily host fake Office 365 login pages in the cloud storage tool Backblaze.