Blog

Beware CEO Spam

Posted by on in Members
  • Font size: Larger Smaller
  • Hits: 2002
  • 0 Comment
  • Subscribe to this entry
  • Print

Watch out for CEO spam

Because we are in contact with a lot businesses and speak to companies about their IT security on a daily basis, we are able to pick up on new trends quickly.

One threat we are seeing more of is so-called CEO Spam, a sophisticated fraud that has resulted in firms losing hundreds of thousands, even millions, of pounds.

Also known as CEO fraud, Whaling, Spear Phishing or BEC (Business Email Compromise), the fraud takes the form of an accounts person receiving an email purporting to come from the MD or CEO asking them to make a payment to a certain account and telling them it is urgent.

The email will look genuine, and may even use all the relevant email signatures. It will certainly come from the right email address.

The European Police Office, Europol, is aware of this growing danger and recently gave details of the characteristics of this type of attack in its 2016 Internet Organised Crime Threat Assessment (see page 32).

The reports says in many cases prior to any attack the criminals have carried out a lot of research, mapping the organisations’ structure and behaviour of potential victims. Letters, emails or phone calls may also come from outside the company, when a payment request is sent by someone purporting to be a trusted business partner or a lawyer.

It says a fraudulent request is usually time-sensitive and often coincides with the close of business hours to make verification of the request difficult.

Recent cases include a Suffolk business paying more than £1million to a fraudulent caller and global fibre optics firm, Leoni, losing €40 million.

Earlier this year, the BBC reported that French businesses have lost an estimated €465m since 2010, with a reported 15,000 firms falling victim to similar scams, including big names, such as Michelin, KPMG and Nestle. In the US, the FBI estimates these scams have cost organisations more than $2.3 billion in losses in recent years.

Our advice to companies is to make sure all employees, not just financial staff, are aware of these threats and that they know the dangers signs. Businesses should also develop standard procedures for paying money, such as only paying against an invoice, or other signed document. In addition, companies are advised to research what information is publicly available about their business and whether it needs to be public.

In the words of Norfolk and Suffolk Police Cyber Security Advisor, “prepare for ‘when’ an attack happens not if”.

Comments

  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest Wednesday, 19 January 2022