No-link CEO fraud scams are targeting junior staff

News by Davey Winder

A new analysis of more than 3,000 business email compromise attacks has found that 43 percent chose to impersonate the CEO. More than half of these (54 percent) targeted employees in junior roles.

A new analysis of more than 3,000 business email compromise attacks has found that 43 percent chose to impersonate the CEO. More than half of these (54 percent) targeted employees in junior roles, the least likely to want to annoy the boss by asking if he really wanted them to do that. The 'that' in question most commonly being a wire transfer of funds (47 percent) and none of these phishing emails included a link to click.

The analysis of attacks plucked randomly from the Barracuda Sentinel system also revealed that stealing personal information or establishing a rapport with the target were objectives in a quarter of cases. And malicious link clicking wasn't totally absent either, appearing in 40 percent of the attack emails.

However, the lack of any suspicious links in 60 percent of all the emails studied helps sidestep awareness training that hammers home the risk of clicking on such things, as well as security measures implemented to flag such emails as potentially dangerous. By targeting roles outside of the C-suite itself, the attackers stand more chance of succeeding by playing on the fears of junior employees when it comes to annoying their boss. No wonder this attack methodology is often referred to as CEO fraud these days.

Threat actors can get most of the information required to establish this kind of attack from company websites, LinkedIn and even the likes of Facebook or Twitter. "By simply learning who works in accounts payable or the team that handles the organisation’s finances" warns Lance Spitzner, Director at SANS Security Awareness, an attacker posing as the CEO can exploit the trust of that position. "This is particularly pertinent in smaller businesses where it might be quite normal for the CEO to make a request via email - such requests should be verified before the instruction is carried out" Spitzner concludes.

Former US Secret Service agent Michael  Levin, now CEO at the Center for Information Security Awareness [], agrees. During a conversation with SC Media UK he advised businesses of all sizes "to have in place strong internal prevention processes and procedures when dealing with all electronic funds transfer (EFT) requests. In most cases, a simple direct confirmation phone call to the executive or manager requesting the payment would prevent these crimes from occurring"  Levin insisted. Any request for sensitive data or wire transfers, and especially those involving secrecy or urgency, should be viewed as suspect in an ideal world and additional verifications sought. "If anything seems out of place, or the requested wire transfer is of large sum and involves a new/unknown account or business, there’s no reason not to ask twice" reasons Martin Jartelius, CSO at Outpost24 adding "it’s way better to delay an urgent business transfer than sending the money into the wrong hands." But how do you 'train' junior staff to ignore their natural instinct which is not to piss off the boss?

Stephen Burke, CEO at Cyber Risk Aware, recalls a recent case where
nine people in the finance department of a UK rail firm were targeted with a fake invoice from the CEO to each wire funds of £9,999 which was below the dual manager approval level of £10,000 for that company. "Thankfully, owing to the simulated phishing and security awareness training the staff received, they spotted the attack and reported it to the IT Security team" Burke relates. Some think that the problem with awareness training is that only a fraction of those staff will actually listen and learn; which makes the simulation option more effective. Such as "security teams sending phishing emails to employees which, if the employee falls for it, leads them to a page informing them about their mistake and educating them on the dangers of their actions" says Prof. Kevin Curran, senior member of the IEEE and professor of cybersecurity at Ulster University.

While awareness training is important, it seems many security professionals agree it's not enough on its own. "There needs to be a policy and processes which cover how to deal with employee alerts backed up by a company culture that allows all employees, new or existing, to feel empowered to challenge anything" Gary Cox, Technology Director at Infoblox, insists. "The last thing that companies need in the fight against impersonation attempts are employees too afraid to simply ask "I received this request, can I just validate it please?" he sagely concludes...

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews