CEO Fraud is a fraud method in which the attacker pretends to be a CEO, manager, or boss and asks employees to transfer money to a specific account, for example. If the attacker uses email as a means of communication, CEO Fraud is a form of Business Email Compromise (BEC). However, other attack vectors are also possible with CEO Fraud, up to and including the use of telephone deepfakes.
What is CEO Fraud?
Alternative terms for CEO Fraud are CEO fraud, boss fraud, or Fake President Fraud (FPF). It is a fraud method in which the attacker pretends to be the CEO, manager, or boss of a company. Using a false identity, he requests company employees to perform transactions such as transferring an amount of money to a named account under a pretext. How the contact is made in CEO fraud is not specified.
The scammers often use deceptively mimicked emails or hijacked email accounts of business executives. In this case, CEO Fraud is a form of Business Email Compromise (BEC). Other means of contact are also possible, up to and including the use of deepfakes on phone calls.
Since employees may transfer large sums of money without being asked simply because of the boss’s authority, CEO Fraud poses a major risk to companies. Companies in which an authoritarian management style prevails and no safeguarding processes are established are particularly susceptible.
Differentiation from the term BEC (Business E-Mail Compromise)
Many sources equate Business Email Compromise and CEO Fraud, which is strictly speaking incorrect. This is because CEO Fraud, while often carried out in the form of BEC, can also use other contact channels and attack vectors. BEC is limited to email fraud. It is Business Email Compromise, a fraud method that uses previously hijacked business email accounts or deceptively impersonated business emails.
With BEC, the fraudsters do not necessarily impersonate the boss. They also use the identities of employees to attack customers, for example, or use the identities of lawyers, notaries, or bank employees. CEO fraud is possible in principle without e-mails, for example, via telephone calls and the use of deep fakes.
Typical sequence of CEO fraud
The more information the attacker has about the company, processes, employees, and bosses, the greater the fraud method’s chances of success. Therefore, the criminals scout out possible victims and identities they want to assume in advance. For example, they use information from company websites, social networks, or personal conversations with employees.
Once all the necessary information has been collected, the victim is contacted. By e-mail or telephone, the supposed boss presents a request and asks the victim to perform a certain activity. The attackers build up pressure and use clever psychological manipulation of the victim. They often point out the confidentiality of the matter.
Due to the authority of the alleged boss, many employees are vulnerable to this type of manipulation. Typical action for the victim to take is to transfer a large amount of money or pay a customer’s bill to a named account.
Measures against CEO Fraud
Possible actions against CEO fraud:
- Train and raise awareness among employees
- Cultivate an open corporate culture and avoid an authoritarian management style
- Special hedging and approval processes for financial transactions
- Reassurance with the boss via an alternative communication channel
- Reliably secure e-mail accounts against unauthorized use
- Watch out for discrepancies and errors in e-mails