The publicity around CEO Fraud may have calmed down, yet it is not yet extinct and still remains a serious threat. CEO Fraud, also known as ‘bogus boss’, still leads to digital larceny by deception, and thus causing displeasure and high economic damage for several companies such as a German company in the hessian rural district Groß-Gerau. Unknown cyber criminals were able to capture a sum of $380,000 Euro by successfully using CEO-Fraud. In 2016 alone, the total amount of monetary loss worldwide caused by this scam method was about $3.1 billion US dollars. That matched the profit made by Volkswagen in 2017.
Key figures on CEO Fraud in companies
Million euros a year, a group of cybercriminals captured by CEO Fraud in Germany between 2014 and 2017
success rate in CEO fraud attacks according to Info Security Magazine
How is it possible that the success rate of cyber criminals is still extraordinarily high even several years after its discovery as a tool used by cyber criminals? In the following text we will look at the procedures and the sophisticated fraud techniques of the offenders in order to improve the comprehension of the success of the scam.
Perfect Planning is half the battle: The Preparatory Stage of the CEO-Fraud
The target of CEO-Fraud is usually one single person. In most cases, an employee in the accounting department with direct authority to execute bank transfers. In order to execute the scam and make it appear as authentic as possible, extraordinarily good preparation is needed at the start of the scam. The magic word here is Social Engineering. Social Engineering means cyber criminals try to gather as much information as possible about their victim. They find such information on social media channels like Facebook, Linkedin or Xing. Most of the time, it’s easy to acquire personal information such as job title, place of work or even the complete organigram of a company.
Cheating and Feinting: The Offensive Stage of CEO FraudIf the blackmailer has gathered enough information on their target they make the first contact and begin the offensive stage of CEO Fraud. The offenders now must accomplish a certain familiarity with the targeted subject. They do this by referring to current topics of the company in their email. This topic could be an upcoming acquisition or the latestsales figureswhich can be withdrawn from previous press releases. To put the crown on the scam, some cyber criminals create an email address that is similar to the one of the CEO. In this connection, it is a perfidious trick to replace certain letters with letters that look extraordinarily similar. The letter L in mueller@examplecompany can for instance be easily replaced by a capital I. For the ordinary person, this scam also known as Spoofing can only be recognized by close scrutiny. Another trick utilized by cyber criminals is the use of an existing emal communication. For example, if the offender knows with which person the CEO of a company usually communicates with and what topics are usually discussed, the perpetrator can counterfeit such communication. Fake logos and email signatures complete the picture of a completely legitimate email communication. It’s in the email itself where cyber criminals dig deep into their bag of psychological tricks in order to initiate the transactions they desire. A commendation for the work of the targeted subject or the buildup of pressure can be used to trick the subject. Often, the offenders pretend to need a transfer of money to be sent as quickly as possible because an important and discreet deal could fail. It must be discreetso the targeted subject does not inform other colleagues about this affair which could end the scam.
What accounts for the success of the scam?
In most cyber attacks, employees are the largest risk factor. The Federal Office for Security and IT (in German: Bundesamt für Sicherheit und Informationstechnik, short: BSI) has previously warned the public about the careless handling of personal data. However, companies contribute to this by publishing a multitude of information on social networks for marketing purposes. Just like that, the offenders have little difficulty accumulating a substantial amount of information to assist in the success of their scam. Another crucial factor of the scam is the psychological component. Cyber criminals specifically and shamelessly exploit emotions like respect and trust for a manager or owner of a business in order to manipulate their victims.