<tt id="idxlv"></tt><tt id="idxlv"><span id="idxlv"></span></tt>

<tt id="idxlv"><form id="idxlv"></form></tt>
<b id="idxlv"><form id="idxlv"></form></b>
<tt id="idxlv"><noscript id="idxlv"></noscript></tt>
    <rt id="idxlv"></rt>

    <tt id="idxlv"><noscript id="idxlv"></noscript></tt>
    CEO Fraud_v2

    CEO Fraud

    CEO Fraud, also known as Business Email Compromise, is a $26 billion scam according to the FBI. Find out how you can prevent this type of attack and what to do if you become a victim.

    Get the Manual

    What Is CEO Fraud?

    CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information.

    The FBI calls this type of scam "Business Email Compromise" and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

    According to FBI statistics, CEO fraud is now a $12 billion scam. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 115 countries.


    Four Attack Methods

    Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it: 

    1. Phishing

    Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card providers, delivery firms, law enforcement, and the IRS are a few of the common ones. A phishing campaign typically shoots out emails to huge numbers of users. Most of them are to people who don’t use that bank, for example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.

    2. Spear Phishing

    This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. A spear phishing email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client.

    3. Executive Whaling

    Here, the bad guys target top executives and administrators, typically to siphon off money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.

    4. Social Engineering

    Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.

    CEO Fraud

    5 Common Attack Scenarios

    1. Business working with a foreign supplier: This scam takes advantage of a long-standing wire-transfer relationship with a supplier, but asks for the funds to be sent to a different account. 
    2. Business receiving or initiating a wire transfer request: By compromising and/or spoofing the email accounts of top executives, another employee receives a message to transfer funds somewhere, or a financial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address. 
    3. Business contacts receiving fraudulent correspondence: By taking over an employee’s email account and sending invoices out to company suppliers, money is transferred to bogus accounts. 
    4. Executive and attorney impersonation: The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters. 
    5. Data theft: Fraudulent emails request either all wage or tax statement (W-2) forms or a company list of personally identifiable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, accounts or auditing departments.

    Who Are The Main Targets?

    The CEO isn't always the one in a criminal’s crosshairs. There are four other groups of employees considered valuable targets given their roles and access to funds/information:

    Finance

    The finance department is especially vulnerable in companies that regularly engage in large wire transfers. All too often, sloppy internal policies only demand an email from the CEO or other senior person to initiate the transfer. Cybercriminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. They mirror the usual wire transfer authorization protocols, hijack a relevant email account and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorized to transfer funds.

    HR

    Human Resources represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organization, manages the employee database and is in charge of recruitment. As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering activities. In addition, W2 and PII scams have become more commonplace. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email addresses to criminal organizations.

    Executive Team

    Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority. If their email accounts are hacked, it generally provides cybercriminals access to all kinds of confidential information, not to mention intelligence on the type of deals that may be ongoing. Thus executive accounts must receive particular attention from a security perspective.

    IT

    The IT manager and IT personnel with authority over access controls, password management and email accounts are further high-value targets. If their credentials can be hacked, they gain entry to every part of the organization.



    Domain Spoof Test

    Can your email address be spoofed?

    Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby. Find out today if your domain can be spoofed!

    Try To Spoof Me!



    Board Oversight and Fiduciary Duty

    Virus and malware defense has long been viewed as a purely IT problem. Some organizations do appoint Chief Information Security Officers (CISO), however information security is often viewed as a challenge that lies well below board or C-level attention.

    The events of recent years have highlighted the danger of this viewpoint. With the FBI warning corporations that they are at risk and so many high-profile victims in the news, organizations, led by their CEO, must integrate cyber risk management into day-to-day operations.

    Additionally, companies must take reasonable measures to prevent cyber-incidents and mitigate the impact of inevitable breaches. The concept of acting “reasonably” is used in many state and federal laws in the United States, Australia, and other countries. Blaming something on IT or a member of staff is no defense. CEOs are responsible to restore normal operations after a data breach and ensure that company assets and the company's reputation are protected. Failure to do so can open the door to legal action.

    Let’s put it in these terms: a cyber breach could potentially cause the loss of a bid on a large contract, could compromise intellectual property (IP) and loss of revenue, to name just a few of the repercussions. That places cybersecurity firmly at the top of the organizational chart, similar to all other forms of corporate risk.

    High-Profile Cases

     

    January 2015

    Xoom - Internet money transfer service, San Francisco, CA

    LOST:

      $30.8 million

    RECOVERED:

      $0

    RESULT:

     The CFO resigned


    August 2015

    Ubiquiti Networks - Computer networking company, Silicon Valley

    LOST:

      $46.7 million

    RECOVERED:

      $15.0 million

    RESULT:

    Unknown

    January 2016

    FACC AG - Aerospace company, Austria

    LOST:

      $50.0 million

    RECOVERED:

      $10.9 million

    RESULT:

    CEO and CFO were fired


    April 2016

    Unknown US Company

    LOST:

      $100.0 million

    RECOVERED:

      $74.0 million

    RESULT:

    Scam surfaced when the US government filed a lawsuit to recover $25 million


    April 2016

    Schletter Group - Worldwide manufacturer, North American division

    LOST:

      W-2 information of all 200 employees

    RECOVERED:

      Nothing

    RESULT:

    Employees filed class-action lawsuit, the court allowed the employees to seek treble damages from Schletter. Schletter since filed for bankruptcy.



    April 2016

    Mattel - Toy manufacturing company, El Segundo, CA

    LOST:

      $3.0 million

    RECOVERED:

      $3.0 million

    RESULT:

    Luckily they caught the scam right away and were able to recover all of their money


    May 2016

    Crelan Bank - Belgium

    LOST:

      $70.0 million

    RECOVERED:

      $0

    RESULT:

     The CEO claims they are still viable and operating at a profit


    May 2016

    Pomeroy Investment Corp - Troy, MI

    LOST:

      $495,000

    RECOVERED:

      $0

    RESULT:

     The error wasn't noticed for 8 days, by then the money was long gone


    August 2016

    Leoni AG - Cable manufacturer, Germany

    LOST:

      $44.0 million

    RECOVERED:

      $0

    RESULT:

     Unknown


    September 2016

    SS&C Technologies Holdings - Financial services software firm, Windsor, CT

    LOST:

      $5.9 million

    RECOVERED:

      Unknown

    RESULT:

    The CEO was ousted and the company is now facing a $10 million lawsuit by Tillage Commodities Fund, the firm whose money was lost


    November 2016

    City of El Paso, Texas

    LOST:

      $3.1 million

    RECOVERED:

      $1.9 million

    RESULT:

     Unknown

    January 2017

    Sedgwick County, Kansas

    LOST:

      $566,000

    RECOVERED:

      Unknown

    RESULT:

     Unknown


    January 2017

    Campbell County Health, Wyoming

    LOST:

      1,457 Employee Social Security Numbers

    RECOVERED:

      Nothing

    RESULT:

     Unknown


    March 2017

    Facebook and Google

    LOST:

      $100 Million

    RECOVERED:

      ‘The Bulk’

    RESULT:

     Unknown


    April 2017

    Save The Children

    LOST:

      $997,400

    RECOVERED:

      $885,784

    RESULT:

     The scam was undiscovered for a month, so cybercriminals got away with all the money. The funds were recovered via the organization's insurance carriers.


    June 2017

    Southern Oregon University

    LOST:

      $1.9 mil

    RECOVERED:

      0

    RESULT:

     Unknown


    July 2017

    Gorbel - US manufacturing company

    LOST:

      $82,000

    RECOVERED:

      None

    RESULT:

     Unknown


    September 2017

    MacEwan University, Edmonton, Canada

    LOST:

      $1.8 mil

    RECOVERED:

      Unknown

    RESULT:

     Unknown


    September 2017

    Japan Airlines

    LOST:

      $3.39 mil

    RECOVERED:

      0

    RESULT:

     Unknown

    December 2017

    O’Neill, Bragg & Staffin - Pennsylvania law firm

    LOST:

      $580,000

    RECOVERED:

      None

    RESULT:

     Lost lawsuit filed against Bank of America, claiming the bank was responsible for not stopping the transaction. The firm is now permanently closed.

    July 2018

    City of Alamogordo, New Mexico

    LOST:

      $250,000

    RECOVERED:

      None

    RESULT:

     Unknown


    September 2018

    Unnamed Finnish Investment Firm

    LOST:

      $3 million euro

    RECOVERED:

      $3 million euro

    RESULT:

     Unknown


    October 2018

    Lake Ridge Schools - Lake County, Indiana

    LOST:

      $120,000

    RECOVERED:

      None

    RESULT:

     Unknown


    November 2018

    Pathé - French cinema chain, film production and distribution company

    LOST:

      $21 Million

    RECOVERED:

      Unknown

    RESULT:

     Managing Director and CFO fired

    "People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls. Technology is critical, but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics."– Kevin Mitnick

    On-Demand Webinar: Latest Business Email Compromise Scams - Don't Be the Next Victim

    The bad guys are getting very creative, impersonating an executive in your organization and asking for financial reports or they ask employees in payroll to make changes to bank accounts. According to the FBI, their efforts have earned them an estimated $12 billion through Business Email Compromise also known as CEO fraud scams. Defending against these types of phishing attacks is possible by layering technical and non-technical controls. 

    Watch Now!

    Webinars22-1

    Technology vs The Human Firewall

    Most efforts towards risk mitigation concentrate on technology. However, these technology safeguards must be supported by what is known as the human firewall. Regardless of how well the defense perimeter is designed the bad guys will always find a way in. They know that employees are the weakest link in any IT system. Thus, cybercriminals continue to rely on phishing and other tricks from the social engineering playbook. The following is a MINIMUM of what to have in place to protect yourself:

    Technology
    • Antivirus
    • Antimalware
    • Intrusion detection/protection
    • Firewalls
    • Email Filters
    • Two-factor authentication
    • Weapons-grade backups
    The Human Firewall
    • Employees are the weak link in any IT department
    • Staff needs to be regularly educated on cyber-threats
    • Each user needs to be able to spot phishing emails from a mile away
    • Regularly testing users with phishing emails keeps them on their toes
    • New-school security awareness training is the way to manage the human firewall problem

    Eight Prevention Steps

    Many steps must dovetail closely together as part of an effective prevention program:

    These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas including: 

    • Review social/public profiles for job duties/descriptions, hierarchal information, out of office detail, or any other sensitive corporate data
    • Identify any publicly available email addresses and lists of connections
    • Email filtering
    • Two-factor authentication
    • Automated password and user ID policy enforcement
    • Comprehensive access and password management
    • Whitelist or blacklist external traffic
    • Patch/update of all IT and security systems
    • Manage access and permission levels for all employees
    • Review existing technical controls and take action to plug any gaps

    Every organization should set security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:

    • Not opening attachments or clicking on links from an unknown source
    • Not using USB drives on office computers
    • Password management policy (no reusing passwords, no Post-it notes on screens as password reminders, etc.)
    • Required security training for all employees
    • Review policy on WiFi access. Include contractors and partners as part of this if they need wireless access when on site.

    Have a solid wire transfer policy: It should never be possible for a cybercriminal to hijack a corporate email account and convince someone to transfer a large sum immediately. Policy should limit such transactions to relatively small amounts. Anything beyond that threshold must require further authorizations.

    Confidential information: When it comes to IP or employee records, policy should determine a chain of approvals before such information is released.

    IT should have measures in place to:

    • Block sites known to spread ransomware
    • Keep software patches and virus signature files up-to-date
    • Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines
    • Conduct regular penetration tests on WiFi and other networks to see just how easy it is to gain entry
    • Domain Spoof Protection
    • Create intrusion detection system rules that flag emails with extensions that are similar to company emails

    Recommended company procedures include:

    • Make staff study security policy and enforce this 
    • Establish how executive leadership is to be informed about cyber-threats and their resolution;
    • Establish a schedule for the testing of the cyber-incident response plan
    • Register as many as possible company domains that are slightly different than the actual company domain
    • Develop a comprehensive cyber incident response plan and test it regularly. Augment the plan based on results.
    • Executive leadership must be well informed about the current level of risk and its potential business impact.
    • Management must know the volume of cyber incidents detected each week and of what type.
    • Understand what information you need to protect: identify the corporate “crown jewels,” how to protect it and who has access.
    • Policy should be established as to thresholds and types of incident that require reporting to management
    • Cyber-risk MUST be added to existing risk management and governance processes.
    • Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
    • Consider obtaining comprehensive cyber security insurance that covers various types of data breaches.

    *Note: Normally human error like CEO fraud is NOT covered by cyber security insurance.

    No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger so start here:

    • Train users on the basics of cyber and email security
    • Train users on how to identify and deal with phishing attacks with new-school security awareness training
    • Implement a reporting system for suspected phishing emails such as the Phish Alert Button
    • Continue security training regularly to keep it top of mind
    • Frequently phish your users to keep awareness up

    The best training programs baseline click rates on phishing emails and harness user education to bring that number down. Don't expect a 0% click rate though. Good employee education can reduce phishing success significantly, but there is always someone who doesn’t pay attention, is in a hurry that day, or is simply outsmarted by a very clever cybercriminal.

    • Run an initial phishing simulation campaign to establish a baseline percentage of which users are phish-prone.
    • Continue simulated phishing attacks at least once a month, but twice is better.
    • Once users understand that they will be tested on a regular basis, and that there are repercussions for repeated fails, behavior changes. They develop a less trusting attitude and get much better at spotting a scam email.
    • Randomize email content and times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others. 

    Security awareness training should include teaching people to watch out for red flags. Here are the most common things to watch out for:

    • Awkward wordings and misspellings
    • Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
    • Spoofed email addresses and URLs that are very close to actual corporate addresses, but only slightly different
    • Sudden urgency or time-sensitive issues
    • Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information” are often used, according to the FBI

    Do your users know when to NOT click?

    Did you know that 91% of successful data breaches started with a spear phishing attack? Find out what percentage of your employees are Phish-prone? with your free phishing security test. Find out which percentage of your employees are phish prone today.

    Why? If you don't do it yourself, the bad guys will. Take the first step now to significantly improve your organization’s defenses against cybercrime.

    Get Your Free Phishing Security Test

    Phishing Security Test

    Ten Victim Response Steps

    Should an incident take place, there are immediate steps you need to take:

    • Inform them of the wire transfer in question
    • Give them full details of the amount, the account destination and any other pertinent details
    • Ask if it is possible to recall the transfer

    Speak with their cybersecurity department: Brief them on the incident and ask for their intervention. They can contact their counterparts in the foreign bank to have them prevent the funds from being withdrawn or transferred elsewhere.

    Inform them off all the facts related to the incident as soon as possible

    In the U.S., the local FBI office is the place to start. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network may be able to return or freeze the funds. When contacting law enforcement, identify your incident as “BEC”, provide a brief description of the incident, and consider providing the following financial information:

    • Originating Name
    • Originating Location
    • Originating Bank Name
    • Originating Bank Account Number
    • Recipient Name
    • Recipient Bank Name
    • Recipient Bank Account Number
    • Recipient Bank Location (if available)
    • Intermediary Bank Name (if available)
    • SWIFT Number
    • Date
    • Amount of Transaction
    • Additional Information (if available) - including “FFC”- For Further Credit; “FAV” – In Favor Of:

    Visit the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov to file your complaint. Victims should always file a complaint regardless of dollar loss or timing of incident and in addition to the financial information above, provide the following:

    • IP and/or email address of fraudulent email
    • Date and time of incidents
    • Incorrectly formatted invoices or letterheads
    • Requests for secrecy or immediate action
    • Unusual timing, requests, or wording of the fraudulent phone calls or emails
    • Phone numbers of the fraudulent phone calls
    • Description of any phone contact to include frequency and timing of calls
    • Foreign accents of the callers
    • Poorly worded or grammatically incorrect emails
    • Reports of any previous email phishing activity

    Call an emergency meeting to brief the board and senior management on the incident, steps taken and further actions to be carried out.

    Have IT investigate the breach to find the attack vector. If an executive’s email has been hacked, take immediate action to recover control of that account such as changing the password.

    But don’t stop there, the likelihood is that the organization has been further infiltrated and other accounts have been compromised. Have them run the gamut of detection technologies to find any and all malware that may be lurking to strike again.

    If the organization was breached, it highlights deficiencies in existing technology safeguards. These will prove harder for IT to spot. So bring in outside help to detect any area of intrusion that IT may have missed.

    The goal is to eliminate any and all malware that may be buried in existing systems. The bad guys are inside. The organization isn’t safe until the attack vector is isolated and all traces of the attack have been eradicated. This is no easy task.

    Make sure your cybersecurity insurance covers CEO Fraud: Less than 4% of fraudulently transferred funds are recovered, so it's a good idea to make sure you have the proper insurance in place. While many organizations have taken out cyber-insurance, not all are specifically covered in the event of CEO fraud. This is a grey area in insurance and many refuse to pay up. Despite the presence of a specific cyber insurance policy, the unfortunate fact is that no hardware or software was hacked. It was the human that was hacked instead.

    Difference between financial instruments and email fraud: Insurance companies distinguish between these two and that's where gray areas come in. Financial instruments can be defined as monetary contracts between parties such as cash (currency), evidence of an ownership interest in an entity (share), or a contractual right to receive or deliver cash (bond). However, CEO fraud is often categorized as being purely an email fraud and not a financial instrument fraud. In other words, it is being regarded in many cases as a matter of internal negligence or email impersonation as opposed to being a financial instrument matter.

    That said, there are dozens of carriers in the market providing up to $300 million in limits. Coverage extensions have developed to include both the third-party liability and first-party cost and expenses associated with a data breach or cyber-attack.

    For such an incident to happen, violations of existing policy are likely to be in evidence. Conduct an internal investigation to cover such violations as well as to eliminate any possibility of any collusion with the criminals. Take the appropriate disciplinary action.

    When the immediate consequences of the attack have been addressed and full data has been gathered about the attack, draw up a plan that encompasses adding technology and staff training to prevent the same kind of incident from repeating. Be sure to beef up staff awareness training as a vital part of this.

    CEO Fraud Prevention Manual

    Download The Full CEO Fraud Prevention Manual

    CEO fraud is responsible for over $3 billion in losses. Don’t be next victim. This manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.

    Click Here To Download The Manual

    CEO Fraud In The News

    "Staggering" Increase in Business Email Compromise--aka CEO Fraud

    Mimecast’s quarterly Email Security Risk Assessment (ESRA) identified millions of dangerous emails making it through security filters, including a 269% increase in business email compromise (BEC) attacks compared to the previous quarter.

    Fake News and Deepfakes: Harmless Fun or the Future of Fraud?

    We have all seen them. Fake news articles that get passed off as legit sources. Misleading memes. Entertaining videos that swap people’s faces. But what if these deception techniques were used against you to gain access to your organization? What if you r...

    CEO Fraud Attacks Now Use Deepfake Audio and AI to Mimic Executives Over the Phone

    While deepfake video gets most of the attention on social media, it’s deepfake audio that is quickly becoming the cybercriminal’s tools of choice for committing fraud.


    Get the latest about social engineering

    Subscribe to CyberheistNews

    亚洲五月六月丁香缴情