Unfortunately, phishing (attempting to trick someone to steal their credentials) is a common issue for many businesses. Thanks to automated spam and malicious email protection, many mass-email attempts to fool employees are caught long before they become an issue. However, crooks are getting smarter; they're now targeting CEOs in order to steal lots of money.
How Does The Scam Work?
Unlike mass phishing where crooks blast out an email to company employees asking them to "update their password" using a fake link, CEO scam phishers take a more sophisticated approach. They first find out as much info as they can about your company — especially who the CEO and CFO are, and who's most likely to approve wire transfers — and use that in a specific attack.
The scam usually involves the crooks registering a fake domain that looks remarkably similar to yours at first glance, usually swapping two letters that are easy to mix up or swapping a number for a letter. So, if your site's email domain was "@awesomecompany.com," a scammer might register "@awseomecompany.com" — it's hard to tell the difference unless you're looking for it, isn't it?
Once this is done, the phishers spoof the CEO's email address and sends a request to the CFO or other financial administrator to wire a large amount of money to an entity that seems to be a normal business transaction, but is actually an account that the scammers own. If the recipient isn't careful, he could send the charge on to be approved and end up losing a lot of money to thieves.
Is This Common?
Unfortunately, it's becoming more popular. When CEO Tom Kemp of Centify told of his encounter with a CEO scam, he explained that they called the company who hosted the fake domain to have it shut down. On the phone, this company said that over 50 other fake domains were registered that same day for the sole purpose of targeting other businesses.
Hard to believe, but the scam continues to work: FBI issues warning over fake CEO emails that have swindled $2.3bn https://t.co/HbUmjRhFZr
— Ray Boisvert ISECIS (@ISECIS) April 12, 2016
This isn't a scam you hear about every day, but it's hard to detect if you're not paying attention, since the crooks go to such great lengths to impersonate your company personnel.
How Can I Combat CEO Scams?
The two best ways to protect yourself from these attacks are to have a formalized system of approving money transfers in place, and always confirm them with the appropriate personnel in person. With a process to approve large money transfers that involves multiple people, you are more likely to catch fakes before it's too late.
By checking with the CFO or other financial employees in person (or via instant message/phone), you can immediately snuff out fakes, because they're going to be really confused when you ask them about approving a $100,000+ charge!
Educating your employees about these scams and making sure they're skeptical of any request to move lots of money will prove useful, too.