C-level fraud attacks are an increasingly common attack vector, especially for SMBs. Generally, these attacks come in the form of spoofed emails from the “CEO” or another C-suite executive and ask the recipient to wire role power (people tend to do what the boss says) in order to increase their effectiveness.
powersolution.com was alerted to one such attack when one of our clients raised the alarm. Thankfully, in this case, the attacker had not gained access to the CEO’s email account, and the emails sent to the recipient were spoofed from an AOL account. The attacker faked the CEO’s name in the From field of the e-mail and then set the Reply-To to the attacker’s email address so they could actually communicate with the victim.
powersolution.com worked with our client and determined that it was a CEO Fraud attack. We first alerted the users within the organization to the fact that everyone who received one of these emails is a target. The attackers had identified them key employees of this organization, ones who might be able to successfully wire money to the attacker.
We warned the organization that these attacks will continue to happen. They will get better in quality. The attacker will uncover other people inside the organization to target as well, expanding who they go after, so it’s key to build a plan to stay protected.
How to Protect Against C-Level Fraud
Here are the recommendations we have for protecting any organization against C-Level fraud and other common attacks.
- Update Your Policies: Define (or re-define) your policy for both transfer of funds and providing sensitive employee information via email and the telephone. We recommend requiring a second communication (phone and e-mail, e-mail and personal visit) as company policy.
- Be Transparent: In all likelihood, the attackers will continue to go after folks in this organization, so it’s wise to remain vigilant at all times. Continue to provide user education and make sure everyone at the organization is aware that these types of attacks are happening and is keeping an eye out for fake emails. Above all, ask everyone in your organization to talk about phishing emails they get. It’s one of the best ways to educate your staff.
- Report It: You should report suspicious e-mails to your IT vendor. We also urge IT professionals and organizations to register a report with the Internet Crime Complaint Center (IC3), which will then be referred appropriately to federal, state, local or international law enforcement or regulatory agencies for possible investigation. Keep in mind that if someone in your organization did fall victim and send money, filing a complaint with the IC3 does not serve as notification to your bank or credit card company that you are disputing unauthorized charges. If you fell victim, you should contact your financial institution directly to notify them.
- Change Your Passwords: If any email passwords of those involved have not been changed in the last two weeks, that is recommended. It’s also a good time to make sure you are using secure, differentiated passwords for all websites and services, and to consider implementing two-factor authentication and a password management program.
- Use Email-Based Protection: Firewalls and antivirus programs are no match for CEO fraud tactics. They pass right through these protections so it’s vital to use more advanced protection. Cloud-based email services sometimes have this baked in, so they’ll make you a bit safer. If you’re still running your own mail server, consider a product that will help you find and remove emails from fraudsters.
If you aren’t sure your current IT company is protecting your business from cyber attacks such as C-Level fraud, perhaps it’s time for a new solution provider. Contact powersolution.com at (201) 493-1414 ext 311 to book your Strategic Technology Planning or Cybersecurity overview session.
We know our award-winning, local IT company would be a great fit for your business’ IT goals and needs.