CEO fraud, also known as whaling, is a sophisticated form of phishing in that targets an organization’s senior employees.
More than 400 businesses are targeted by CEO fraud each day, with losses totalling almost $1 billion per year.
Although the name suggests that it’s exclusively CEOs who are targeted, this is an oversimplification. The technique has far-reaching consequences and can affect anyone in a position of authority.
What is CEO fraud?
CEO fraud is a type of phishing attack in which scammers pretend to be a high-ranking individual within an organization. Using this authority, they instruct employees to carry out fraudulent activity.
Fraudsters typically impersonate the chief executive – hence the name CEO fraud – but they have also been known to imitate other senior positions, such as the head of HR or accounts.
At its core, CEO fraud works like any other form of phishing. The scammer sends a bogus message that appears to come from a legitimate sender, and the message encourages the recipient to do something that gives the fraudster access to sensitive information.
However, there are a few key differences that make CEO fraud more damaging and harder to spot than regular phishing scams.
For example, a standard phishing email will appear to come from a corporate account, such as ‘security@companyx.com’, and will have a boilerplate message. CEO fraud, by contrast, imitates a specific individual within the organization and the messages are sent to another employee within the organization.
The messages typically contain informal requests to complete a certain business activity. For instance, the scammer might ask for a copy of a spreadsheet containing payroll information or request a wire transfer.
That leads us on to the second difference between regular phishing attacks and CEO fraud. Whereas scammers typically deliver phishing emails in bulk using generic messages, they will put far more effort into CEO fraud.
They often do this research by picking out a suitable target and learning as much as they can about them and their organization. LinkedIn in particular is a goldmine for scammers, as they can find someone’s job history, their connections with colleagues, and even the idiosyncrasies in the way they write.
This enables the scammer to write convincing messages that look as though they have genuinely come from the supposed sender, and they are sent to the most appropriate person to complete their request.
How to recognize CEO fraud
CEO fraud is more highly targeted than standard phishing, making it much harder to spot. However, there are still certain clues that you can find that point to its fraudulent nature.
You’re unlikely to find some of the typical giveaways of a scam, such as generic greetings (‘Dear sir’) and poor spelling.
Likewise, CEO fraud avoid the typical pretexts that you associate with scams, such as a supposed security alert asking you to reset your password or an apparent problem with a purchase that requires you to re-enter your payment details.
So what should you look out for instead? Here are some things that most CEO fraud messages have in common:
- A request to transfer money or share sensitive information. No matter what pretext a scammer uses, their goal is always to make money – whether by requesting a wire transfer or gaining access to sensitive data that they can then sell.
- An urgent tone. Scams are designed to get people to act quickly before they have a chance to think it through. CEO fraud usually does this by making the request appear time sensitive.
- The sender is currently unavailable. When you receive a suspicious email, your first thought might be to contact the sender directly for clarification. Scammers mitigate this risk by implying that the sender is unavailable – often because they are in a meeting or are having technical problems.
- A request for confidentiality. Fraudsters know that they could be rumbled if the recipient mentions the email to a colleague, so they often imply that their request is confidential.
Examples of CEO fraud
Although CEO fraud can take any form, there are three common pretexts that you can expect to find. In this next section, we’ll look at three examples of CEO fraud to explain how it works and who is most likely to be targeted.
1. Wire transfer scam
This is by far the most common type of CEO fraud, with the scammer messaging someone in the accounts department and asking them to make a wire transfer. The account details seemingly belong to a client but it’s in fact controlled by the hacker.
In the example below, the scammer has created the email domain ‘@abdbank.com’, which imitates the genuine account ‘@abcbank.com’.
Source: Tessian
The scammer uses their bogus domain to replicate an email account belonging to ‘Sam Jones’, who we can presume is a senior employee at the bank.
We can also presume that Sam has a close working relationship with the recipient, Kat Taylor, given the informal tone of the email.
Notice how the message includes personal touches, such as the idiosyncratic sign-off and the phrase “that finance guy”. It also includes the apparent knowledge that Kat works from home (although this could just be an educated guess based on the popularity of remote working since the pandemic).
With the relationship between sender and receiver established, the scammer then attempts to socially engineer Kat, manipulating her into action. ‘Sam’ creates a sense of urgency from the subject line (“URGENT”), reiterates the message in the opening line (“I really hope you’re online now”), and emphasizes it again at the end.
This emotional manipulation is supported by Sam’s apparent trust in Kat. ‘Sam’ says that he is “counting on [her]”, which plays on the power dynamics between them.
Completing a job for your boss is one thing, but to do it in a moment of urgency is another thing altogether. Kat will think that by doing this, she will develop her professional relationship and will be seen as a trustworthy and reliable employee.
This manipulation is completed with the authoritative tone that demands action. “Please pay immediately”, the message reads, which leaves no room for interpretation and suggests that any questioning of the matter will be considered a failure.
2. Tax form scam
This example of CEO fraud is more straightforward. It’s a message from an organization’s CEO to the accounts department requesting employees’ tax documents.
Source: Frank on Fraud
In some versions of this scam, the fraudster (posing as the CEO) will ask for the information to be sent to him directly, but here they’ve asked for the document to be sent to a consultancy firm (although that address is also controlled by the fraudster).
This is a more logical approach, because it avoids the awkward question of why the CEO would need this information. By requesting that the records be sent to a consultancy firm, there appears to be a clear purpose to the request.
Unlike the previous example, the message is written more formally. However, it still has the hallmarks of a natural and specific email from a fluent English speaker, rather than the template messages you might typically associate with phishing.
Meanwhile, there are other similarities between the messages. Both use a sense of urgency and authority, with the CEO requesting the information “immediately as we are under a time crunch”.
They also serve the same purpose, with this message instructing the recipient to hand over company assets. In this case, it’s a document containing sensitive information, whereas in the previous example it’s company funds.
3. Laying the bait
The examples we’ve looked at so far target specific departments and launch directly into their pretext, but many instances of CEO fraud begin in a more ambiguous way.
An employee might, for example, receive a message such as this:
This might seem less characteristic of CEO fraud, because it shows no specific signs that the scammer has researched their target and pinpointed a vulnerability they can exploit.
However, this is a case of the scammer exercising caution. If they go make their request straight away, the recipient might spot that’s something amiss. They might then talk to their colleagues and realize that it’s a scam, which will put everyone in the organization on high alert.
The organization will most likely send a company-wide email to warn employees about the scam, which would effectively shut down the scammer and prevent them from targeting anyone else.
But by sending an ambiguous message with a benign question, such as “Are you in the office today?”, the scammer is much less likely to be exposed.
If the recipient responds, the scammer knows that they have them on the hook and can then move forward with their request.
Preventing CEO fraud
Although CEO fraud is more sophisticated than standard phishing, the key to preventing attacks is much the same. You should begin with technological defences that spot suspicious and unusual domains and which alert users whenever they try to download a potentially dangerous attachment.
These form the building blocks of your defences, but they are never one hundred percent effective. Malicious emails will inevitably land in your employees’ inbox, meaning you need to educate your staff on how to spot bogus emails and respect appropriately.
IT Governance USA’s Phishing Staff Awareness E-Learning Course contains the tips and guidance your team needs to outsmart attackers.
This online training course explains everything you need to know about scam emails, from the way attackers instigate their attacks to the steps you can take to defend yourself.
It uses real-life examples, such as the ones in this blog, to show how phishing works in real life, and the content is updated each month to ensure you understand the latest trends.
