Research, social engineering and automatic scanning are just some of the weapons that scammers use to infiltrate businesses and impersonate the boss. Once the scammers have penetrated the company, they can hide for months; waiting for the perfect opportunity to launch an attack.
A great deal of careful planning and patience lies behind the thousands of CEO fraud attempts targeted at top Danish executives each year. Typically, the fraudsters send a fake emergency mail to the finance department from an executive who is away from the office. This mail instructs the employees to transfer a larger amount of money quickly, confidentially and without questioning the transaction.
Prior to the actual fake mail, a great deal of groundwork has typically already taken place. The fraudsters will have methodically investigated the company, identified key persons and gained access to internal systems such as e-mail servers and calendars. The incidence of CEO fraud is on the rise, and studies and experience from the NNIT Cyber Defense Center shows that these cybercriminals are becoming more and more sophisticated.
Nowadays, the criminals behind CEO fraud have an advanced range of tools that can automatically scan for vulnerabilities, and exploit passwords and login information. They are also clever at reading and imitating internal communication; so language use and formulation match the emails that the victims themselves send. They are becoming so good that our surveillance activities never stop.
Phases of the attack
A CEO fraud attack can typically take several months and involves these five phases:
Here, the fraudsters trawl through publicly available information to find suitable targets. Medium-sized businesses are typically the preferred victims, but all types of businesses and organizations can be at risk.
Once the fraudsters have chosen a company, they systematically work on collecting information such as name, title, email and other information on key persons. This process is often automated, but in some cases the fraudsters contact the company directly via email or phone under the guise of potential applicants, suppliers or customers. In this way, they get access to mail signatures and knowledge about how company employees express themselves in both writing and speech.
When the criminals have gathered the necessary information, they will typically try to compromise the company's internal systems – either through technical vulnerabilities or via targeted phishing emails sent to selected employees. An example of this could be a job application sent to HR with a link or attachment that installs a snooper-program on the victim's computer. From here, automated scripts provide immediate access to intercepted information such as passwords for the internal mail server or intranet. The criminals also look out for copies of invoices or mail correspondence from the employees they wish to impersonate. Calendars are especially valuable as they show when the manager is traveling or otherwise unavailable.
If the fraudsters have succeeded in infiltrating the company, they will typically lurk in the background and intensify the search for information enabling them to build up a credible story that can lead to a major payoff. They painstakingly study all communication to and from their chosen victims in order to gain insight into language use, sender information and habits.
The fraudsters are now well-prepared and ready to strike when the perfect conditions arise. This could, for example, be when the CEO or another senior executive is temporarily inaccessible. The fraudster may use the opportunity to send a credible request for the transfer of a large sum of money to an employee in the finance department or similar. In some cases, the cybercriminals have even cloned a senior executive's SIM card, so mails can be followed up with a personal text message calling for swift action. The fraudsters will always try to create a sense of urgency and often strike during periods when temporary workers have replaced permanent employees. Many attacks take place on Friday afternoons, just as the employees are on their way home for the weekend.
The automated tools arms race
If you want to defend yourself against CEO fraud, you can use the same mix of automated tools and human skills as the fraudsters. When NNIT Cyber Defense Center helps companies strengthen their security, we use technical security solutions such as Endpoint Detection Response (EDR), which can intercept penetration attempts into the IT system. In addition, it is crucial to educate employees and encourage a culture of heightened awareness in areas such as phishing and social engineering.
A lack of awareness about IT threats is one of the major problems that we clearly see when carrying out threat intelligence and security health checks. Our customers are often surprised by the risks revealed in the simulated attacks performed by our ethical hackers. As a rule, it can be several months before anybody even discovers that the system has been compromised. This is why automated monitoring of systems can be an effective layer of protection that detects fraud attempts at an early stage.
A five-step defense plan
NNIT Cyber Defense Center divides security measures into five steps: