As with all IT Security warnings, most figures we see are very Americanised but CEO fraud is a very real threat to UK businesses too with over £32million reportedly being lost to this kind of attack. Worryingly it's likely that the true figure is far greater as firms may not report the loss to authorities OR may not even realise they have lost the money yet.
So what is it - well it's so called CEO fraud as the attack is one where an attacker purports to be a senior member of staff (maybe the CEO), attacks are often carried out using phone calls & email. The attacker makes numerous contact with their "target" and builds up the picture of a "deal" before they actual make the request for the money to be transferred, this means that the targeted member of staff is expecting the request to be made to transfer funds to an account - when the attacker makes the request it doesn't seem out of the ordinary & the target complies.
These kinds of attacks work better in larger organisations as there are more likely to be senior staff involved whom the targeted staff member may never have met.
It's common for the attacker to use gmail, yahoo or other generic email accounts to communicate BUT some highly sophisticated attacks have been reported where the attackers have spent months learning the target organisation, hacking the mail system & actually monitoring the communications between certain individuals, learning the kinds of words, deals etc... that are discussed. Once a big enough picture has been built up the attacker will then choose the moment very carefully about when to send a message containing their bank details - they may even be clever enough to simply alter a legitimate message that was sent so nobody knows there is anything wrong - except when the money that has been sent never arrives with the legitimate recipient.
This kind of attack is very difficult to guard against 100% as they can take many different forms but our top 5 tips for avoiding CEO fraud are:-
A major part of protection against this kind of fraud is with education - make sure that your staff are in tune with the kind of scams that they could be vulnerable to. If they haven't been educated into some of the threats that are out there then they can't really be held accountable of they are tricked.
Attackers & fraudsters are using very sophisticated methods to take your money from you - don't make it easy for them!(full article)