Fraudsters are becoming more creative with email attacks. As an example, C-Suite fraud is a scam impacting all business sectors, wherein cybercriminals spoof corporate email accounts and impersonate a C-Level executive (CEO, CFO, COO, etc.) to trick unsuspecting employees into executing a task such as wiring funds for a transaction, revealing personally identifiable employees’ information, or sharing company trade secrets. Organizations should address the growing concern of email impersonation fraud with employees and offer security awareness training to help reduce risk.
- Attacks May Pose as Communication from a Member of the C-Suite
The new wave of C-Suite email scams is unlike any seen in the past. Some scammers are foregoing malicious links and attachments by opting to use a more personalized approach. Posing as a CEO or other company leader, the scam artist may request a money transfer, purchases of gift cards, or sensitive financial information from unsuspicious employees eager to please executive management. Often, the imposter will send the fraudulent message from a forged email header or slightly edited variation of an email address. Encourage employees to take a closer look at email addresses of incoming messages because many appear legitimate at first glance.
Here is a picture of an actual phishing email (redacted for privacy). You may have seen something similar.
- Information Used Is Publicly Available
Fraudsters craft emails using public-facing information such as employee titles and online social exchanges to infiltrate an employee’s inbox. Typically, employees who report to executive-level individuals are the main targets of C-Suite scams, especially those in Human Resources, Finance and IT. By sending a chain of conversational emails, the imposter attempts to build rapport and make an employee feel as if he or she is communicating with a trusted executive, increasing the risk of that employee disclosing protected information.
The phishing email shown above received a response from the employee agreeing to help, which was then followed by this email:
- Employees Are the Best Line of Defense
The best line of defense against falling victim to fraudulent email scams is at the individual employee level. Advise team members of potential danger for an organization by responding to fraudulent email. Develop a protocol in the event of a business email compromise. Encourage employees to mark all potential phishing emails as junk and to notify the appropriate IT resources to launch further investigation. Because the trend with C-Suite scammers is to request wire transfers a majority of the time, train employees to have an in-person or telephone conversation with the actual person making the request in order to confirm the legitimacy of any financial transaction.
Business email compromises are on the rise, and every company is a potential target. The best protection against a C-Suite fraudulent email is to have a trained team with a contingency plan. Encourage members of the organization always to take a second look at the sender’s email address before responding to any request for sensitive information.
Contact Roebuck Technologies today for information on how our cyber security services can help support your business.