#ISC2CongressEMEA: Why CEO Fraud Works and How to Stop it

CEO Fraud is the latest variation in a plethora of similar email-based cyber-attacks. It’s niche, but it has a 90% success rate

At the (ISC)² EMEA Congress in Dublin, Ken Bagnall presented a session titled 'CEO Fraud: Protecting Businesses.'

Ken Bagnall is CEO of The Email Laundry. He admits that as email is an open communications platform, if an attacker wants to communicate electronically with someone, they’ll find a way. “What we’re really doing in the email security business is stopping them doing it on a larger scale,” he said. It may be slightly defeatist, but it’s honest.

The Email Laundry has send out CEO fraud tests to numerous companies, and found that 90% of the attempts succeeded. This compares to a success rate of 30% for phishing attacks.

CEO fraud is when hackers design and send a fraudulent email, pretending to be from the CEO to a member of staff requesting a bank transfer. The transferred money, of course, ends up in the criminal’s bank account – most commonly a Chinese or Hong Kong bank. While email is the most common method of attack, Bagnall told Infosecurity that text messaging can also be used.

“The emails can be sent from a holograph of the genuine email address – just a slight variation on the name. We catch most of these. The real sore point for us is when the attackers hack the CEO’s genuine email account – that’s a nightmare for us.”

Regardless of how the email is sent, once the member of staff has started a conversation with who they believe to be the CEO, they don’t question the validity of that person’s identity. As far as they are concerned, they are talking to – and following the instruction of – the CEO.

Bagnall explained that whilst 22,143 companies have reported CEO fraud, non-reporting is very high. Reluctance to report the CEO fraud, he told Infosecurity, is connected with a “shame factor and a fear of ‘is this a data breach’? Are we in trouble? Does this affect our reputation?”.

Interestingly, Bagnall strongly suspects that there are links between CEO fraud and ransomware. “People pay the ransom and six months later receive a CEO fraud email which seems to have knowledge from their calendar etc.” he explained to Infosecurity.

Stopping CEO Fraud

One way that organizations could significantly reduce the risk of CEO fraud is to remove all links from email. “I think the time has come where you could get away with it,” Bagnall said, although of course, this isn’t useful from a business enablement perspective.

Each bank account is used multiple times, so The Email Laundry can use that data to try and identify other attacks before they get through to the customer.

The flaw with this methodology, admits Bagnall, is that “we are waiting for a victim before we can prevent others falling for the same attack.”

In the instance of CEO fraud, the victim’s first port of call should be to their bank to try and stop the payment from going through. Reports should also be made to email providers and law enforcement agencies.

Collaboration is needed to stop CEO fraud, said Bagnall, and security companies need to work together. “We provide APIs to other vendors to use some of our data. There are also organizations like the APWG (Anti Phishing Working Group) who provide a security feed which different vendors contribute to.” The delay in that data, however, makes it “nearly useless” according to Bagnall. “We also have data sharing agreements with some academic institutions, and have found Computer Emergency Response Teams useful for sharing information.”

There are law enforcement collaborations on the cards, but they are either still being built, or waiting for funding from the EU. “It is likely going to be down to us to police it ourselves,” concedes Bagnall, “as is always the case with cybercrime.”