CEO fraud, also known as CEO fraud or “fake president” case, is a popular spear phishing scam. In this case, employees are asked in fake e-mails by their alleged superiors, for example, to transfer a certain sum of money or to disclose sensitive data.
CEO fraud focuses on imitating everyday professional situations. In hierarchical and fast-paced corporate cultures, urgent demands on the part of management are usually not uncommon. The request to quickly transfer a larger sum of money is often implemented by employees.
Due to the direct and personal communication and imitated rhetoric, it is solely up to the employee to recognize the attack and react to it. Another explosive nature of CEO fraud is that imitations are possible due to the simplicity of the attacks. Anti-virus programs or firewalls are ineffective here, as it is not a technical attack. The only thing that can help here is permanent sensitization and permanent vigilance.
The tricky thing about CEO fraud is that the first and last name of an email are the first to be registered by the reader. However, email addresses that are only visible after opening the detailed view are rarely noticed, even if they are the main indication of CEO fraud. Therefore, pay attention to certain characteristics when opening an email:
As an employee, you know the writing style of your superiors. Greeting, salutation (you/you), choice of words or signature – everyone has their preferences.
Digital communication opens up a wide range of communication channels and means. Whether by e-mail, smartphone messenger, social networks, SMS, audio messages – everyone has a channel, for the one situation. If deviant behavior prevails here, you should question the authenticity of the email.
The assessment of the situation is usually the most critical point. In companies with inadequate or non-transparent internal communication, it is often not clear what obligations are pending. Be it regular business appointments or errands. Especially at the management level, appointments often arise spontaneously and work orders are often awarded on demand – even during vacation. If you as an employee do not have 100 percent certainty about whether the supervisor was really in an appointment, they should always reassure themselves via a different, secure and familiar communication channel. In case of doubt, the internal regulations must be observed. Here, managers also have a duty to encourage their employees to behave safely.
In order to protect employees – but also managing directors – from fraudsters, it is important to introduce protective measures. In addition to internal regulations, such as approval processes for payments or substitution regulations, educational measures should be included. Awareness training and internal information about current threats should be part of the IT security culture in the company.
In addition, managers should communicate with their employees via certain communication channels. This is especially true if they work in public or central positions with direct contact with the management (finance, human resources, communication, marketing).
CEO fraud is a particularly dangerous scam used by online fraudsters. Unlike viruses and Trojans, there are no technical measures only in the form of spam filters that could protect you. If such an email makes it into the employee’s inbox, the only thing that will help is his sensitivity to cyber dangers and internal precautionary measures that prevent worse consequences.
