Just as medieval castles were designed to safeguard territories during war, a company’s employees are generally expected to strive to protect the organization from a cybersecurity breach. Yet, thousands of team members unknowingly allow imposters to infiltrate businesses and steal millions of dollars by falling victim to executive impersonation fraud.
Surveying the Executive Impersonation Fraud Battleground
A variant of business email compromise (BEC), executive impersonation fraud entails a skilled criminal (or group of criminals) crafting an email that looks to be from one of the company’s key executives. The domain of the email address may be identical to the company’s domain except for one or two letters (e.g., email@example.com vs. firstname.lastname@example.org). Conversely, the email address might even be “spoofed” so that it appears legitimate — until the recipient hovers the cursor over the address (which reveals the real sender).
The criminals do their homework to make their scheme convincing. They typically scour the company’s website and social media accounts to carefully investigate the executive they are impersonating. Additionally, they research their intended target, who will ideally be someone with authority to initiate or approve wire transfers.
Spotting the Enemy from the Watch Tower
According to the FBI, executive impersonation fraud and other BEC scams have struck more than 22,000 victims worldwide and exposed more than $3 billion in losses. Given the magnitude of these effects, it is critical that employees be aware of – and recognize – the following warning signs:
- An email that looks to be from a senior executive comes from an address that varies from the official, company-issued domain.
- The sender conveys urgency or secrecy by asking to communicate only through the email (perhaps due to supposed regulatory restrictions).
- Payments are directed to foreign bank accounts, especially where the company has never done business.
- Requests may occur when the key executive is traveling or unavailable.
Building a Defense Against Cyber Criminals
Executive impersonation fraud relies on employees’ willingness to bypass normal financial controls when asked to do so by an executive. Companies can dramatically reduce their risks with the following basic precautions.
- Create a culture of skepticism. Skepticism can be an important internal control. Employees should know that questioning authority — especially in regard to initiating financial transactions — is not only allowed, but also strongly encouraged.
- Build employee awareness of the latest email scams. Employees are a company’s first line of defense against any form of fraud. In addition to companywide cybersecurity education, all employees who have authority to request, approve, or execute wire transfers should receive regular, specific training on whaling and other social engineering attacks. Implement and enforce a social media policy. Employees should be careful about what they share on social networking sites, especially details about key executives’ travel itineraries.
- Strengthen controls around wire transfers. First, restrict authority for initiating or approving financial transactions to a few individuals. Then, design and implement procedures to verify the origin of all wire transfer requests. Many companies require verbal confirmation from someone calling from a company-issued phone number followed by secondary verification from another individual via another phone call using an authorization code.
- Document all of these steps. In the event that these controls fail and a security breach occurs, your documentation will be invaluable for showing regulators and prosecutors that your company implemented reasonable and appropriate safeguards to mitigate data loss.
Let CRI Be Your Cybersecurity Defense Ally
In a world where even an email from your chief executive could be corrupt, it can feel like threats are everywhere. However, defending against executive impersonation fraud requires you to objectively assess your organization’s threats, vulnerabilities, and internal controls. To learn what key questions to ask about your company’s protection, download CRI’s cybersecurity white paper. Additionally, watch our cybersecurity training webinar to learn how to build a successful curriculum.