“CEO fraud happens a lot, because it works.”
These were the words of Righard Zwienenberg, senior research fellow at ESET, speaking at an ESET press event in Bratislava this week.
Zwienenberg explored the evolving landscape of CEO fraud, describing it as a “new email-driven scam where an attacker will pretend to be your boss, and get you to transfer thousands of dollars of company funds into a bank account they control.”
Protecting yourself from CEO fraud comes down to understanding how an attack works, he continued, outlining the following elements as key:
1. The attacker needs to know a lot about the company he’s targeting
2. Hierarchical structure: who will the attacker be impersonating – their name, their email address; their schedule, when they will be traveling, or on vacation
3. The attacker needs to know who in the organization is able to issue money transfers, such as the accountant, or someone in the finance department
4. Most information can be freely found on your websites ‘about us’ pages
5. Understanding somebody’s agenda can be difficult, but social media such as Twitter and Facebook help a lot
An important thing to remember, added Zwienenberg, is that CEO fraud is so often successful because people continue to fall for social engineering.
“Social engineering makes all these things possible, and people keep clicking on everything because they think it’s safe.”