CEO fraud

According to Federal Bureau of Investigation, a significant increase in the number of business email phishing scams (most commonly known as CEO Fraud) has been recorded that has compromised with the security of over 20,000 organizations in the past years resulting in an approximate loss of $2–3 billion USD, an estimated increase of 270% in exposed loss and identified victims since the year 2015. This guarantees only one thing that even though an organization possesses robust IT infrastructure, the attackers will always find a way to hack into the victim’s system.  Since hackers are aware of the fact that employees are the weakest link in any IT system, and this fact cannot be denies since 90% of the  cyber-incidents are a result of fallible human nature.

What do we mean by CEO fraud?

In a CEO fraud, attackers spoof a message (this is what differentiates the CEO fraud from phishing mail) from an account that is identical to a legitimate business e-mail account, attempting attacks like social engineering and any technique related to social intrusion and to successfully initiate any official transfer of funds. These emails generally contain a spoofed sender address in order to impersonate a CEO or any top-level executive of the target organization.

Victims can range from organizations that are involved in the business of money management, wire transfers, any small, medium or large business, companies that are in manufacturing, consultancy, trading, healthcare, banking or any other vertical for that matter.

In what ways can an attacker attempt a CEO fraud attack?

Earlier, Phishing and Social engineering were considered to be the most frequent as well as dangerous attacks. Organizations require to incorporate agile security management approach in order to saddle the growing risk of the data theft. Many attackers who engage in spoofing company e-mails use social engineering to fake the identity of a CEO, any trusted vendor or a company attorney. They mainly do research on an employee or a department that is involved in money management in order to understand the work cycle of that particular organization. Their main motive is to gather as much data as possible, using social media accounts or any kind of out of office responses.

CEO fraud

As per the statistics, around 150 million phishing e-mails (inclusive of CEO fraud) are sent out every single day! Out if these mails, 800,000 links are clicked and around 80,000 people fall prey yo a scam each day and ultimately share their personal information.

CEO frauds can hurt organization badly in the gut with results ranging from:

  • Monetary loss
  • People lose their positions immediately.
  • Lawsuits are filed against the victim organization
  • Organizations can lose their trust amongst customers with a loss of reputation.

There have been number of cases where CEO fraud has been reported. Let’s take a look at each of them:

Crelan — Belgian Bank

Crelan-Belgian banks suffered a shocking $75 million in a phishing scam. This is considered to be one of biggest case in CEO frauds. In an internal audit, it was found out that the attacker was an outsider


Mattel is one of the biggest toys making companies in the world, with their popular including Barbie & Hot Wheels. The company was hit badly by a phishing attack that resulted in a loss of around $3 million. A spoof note was sent from the email of company’s newly joined CEO to its finance executive, requesting the new vendor payment to China. The money was transferred once the note was approved by both the CEO and Executive. However, the company was fortunate enough to prevent itself from the loss since the following day was a bank holiday in China. Company was able freeze the account to which the stolen funds were transferred.


APayPal acquired international money transfer company reported an attack that resulted in a loss of $30.8 million in the fourth quarter of 2015, resulting in its shares going down by 17 percent in extended trading. In this particular case, attacker impersonated an employee and sent fraudulent requests that targeted the finance department of the company.


FACC, an Austrian aerospace parts maker, was hit badly by a cyber phishing scam that resulted in a loss of a huge sum of $42 million! The attackers were able to steal the funds by impersonating as the CEO of FACC and according to the supervisory board, it was found that the CEO was unable to fulfil his duties and was fired immediately. The spoofed email was sent to an employee requesting to transfer funds to an account for a fake acquisition project.

How can an organization protect itself against such attacks?

  1. Employee Awareness

Organizations should try to enlighten the employees of about such attacks and help them identify spoofed CEO e-mails in their inbox. Employees should be taught loopholes and tricks that attackers use for luring victims to click on the links resulting in victim transferring large sums of money.

  1. Restricted access

Companies can evade such attacks in general by restricting access to sensitive data to a certain number of employees. The company can limit the wire transfer access to the employees of that particular department that will result in a gradual reduction in the chances of any kind of unauthorized transfer.

  1. Institute technical controls

This can help in preventing any damage that is done by a phishing e-mail. Proper authentication measures must be implemented all across the organization. One must avoid using s simple username and password since they can be easily guessed, therefore an organization must employ robust technical controls all across the enterprise. Some of the best practices include:

  • Two-factor authentication.
  • Enforcing the policy related to automated password and user ID
  • Patching or updating all IT as well as security systems.
  • Managing access as well as permission levels.
  • Adopt blacklists or white lists for extreme traffic.
  1. Regulation of policies

Procedure and policies ensure that the employees are well aware of what they should do in a particular situation when they receive an e-mail that is dubious in nature. Regulation of policies make sure that the employees know exactly who and when to report in case the person receives a malicious e-mail. In addition, there should be a restriction on the person who handles the transfer of funds and a verification processes must be completed before giving any confirmation.

  1. Imparting knowledge with simulated phishing

The employee education can be enhanced by a simulated phishing attack. Such an attack will initially help us detect EVS. Employee Vulnerability Score is a score that analyses the percentage of users that are phish-prone and those who can be manipulated by a spoof e-mail. Therefore, it is highly recommended that an organization imparts knowledge and performs simulated phishing on regular interval. This helps in realizing the behaviour of users towards such fraud e-mails after the repeated simulation. In this case, Kratikal’s employee risk assessment tool, ThreatCop, is especially designed to achieve this purpose. This SaaS-based tool brings down the level of overall risk level in an organization up to 90%, thus building a security culture in an organization and improving the cyber resilience with a considerable result.

  1. Use certified email servers

Using a strong email server is a major step towards preventing fraud e-mails. Email servers like Zoho,  Gmail, Outlook etc. come with their own defence mechanism. The algorithms of such email servers work in a way that they restrict the possibility of receiving a fraudent e-mail in the primary box of the user and divert it to the spam folder. This helps employees in detecting the authenticity of an e-mail thus resulting in less open rates of spoof e-mails.

What can be concluded from all this?

In all the possible cases discussed above, educating employees is a really important step in creating a human firewall all around the organization. Once the employees become aware of the trends of cyber-risks, growing on a day-to-day basis, they become capable enough to evade and withstand such cyber-attacks.