The number of “fake CEO” attempts by cyber criminals has escalated to the point that more than 18,000 attempts were made in the last seven months of 2016, with victims around the world losing $2.2 billion.
Florian Lukarsky, a security consultant with SEC Consult Singapore, told the CommunicAsia2017 conference that criminals are increasingly using a “fake CEO” email scam-where a chief executive or business owner is impersonated-to siphon funds from corporates.
Victim organizations are typically businesses which work with foreign suppliers that regularly perform international payment-transfers, said Lukarsky.
He said that the $2.2 billion lost in the second half of 2016 compared with $3.1 billion in losses in the 31 months from October 2013 to May 2016 is proof of the increasing popularity of the scam.
“They will establish contact and create a pretext, such as a company takeover or an urgent purchase,” said Lukarsky. “The victim is usually an employee responsible for bank transfers, and the scammers make sure they use different psychological methods to get the victims into doing what they want.”
In impersonating a senior manager who as an authority figure, the scammers play upon people’s deep psychological conditioning.
“We all grew up obeying authority-our parents or our teachers-so this concept is very deeply within us, so many people fall for it,” says Lukarsky.
“There is also often a stated bogus obligation to keep this a secret, and victims feel special because they have been chosen by the “CEO”--who has finally paid attention to them-so they are more likely to follow requests.”
Some high profile examples of corporates falling victim to the CEO scam include US technology firm Ubiquiti, which lost $46.7 million in 2015. Belgian bank Crelan lost 70 million euros in January 2016, while Facebook and Google have lost $100 million between them since 2013.
In combating the fraud, Lukarsky says organizations can take two approaches: establish processes and protocol dictating the use of emails, and technical measures such as using email signatures which are more difficult to forge and may include encryption.
Lukarsky also demonstrated a “trackdown service” where PDFs were sent to scammers after the fraud had been identified.
These attachments claimed to be confirmation of the transfer, but contained information which helped identify their scammers location, their true email addresses and their computers.