Preventing CEO Fraud: How to Avoid Business Email Compromise Attacks

A woman in her 40s with short curly black hair and black glasses sits at a desk with a laptop and uses a mobile phone.

For as long as businesses have used email in their financial processes, criminals have tried to exploit it. Email scams are nothing new, but the threats they pose to companies are constantly growing and evolving as attackers’ methods grow more and more sophisticated.

So-called ‘CEO Fraud,’ for example, poses huge threats to companies large and small. Also known as business email compromise (BEC) or “man-in-the-middle” attacks, these schemes involve using hacked or spoofed email accounts as part of their financial social engineering efforts: Criminals use compromised addresses, phished credentials, or look-alike accounts to trick key business stakeholders into completing fraudulent transactions.

BEC may sound like a low-tech kind of cybercrime, but that’s partly why it’s so hard to fight (and so common across industries). Companies can be slow to realize they’ve been defrauded through BEC, and reticent to report it once they do.

But in recent years, more and more companies are realizing (and admitting) they’ve been impacted. According to FBI data, there was a 100% increase in identified global exposed losses due to BEC and other email account compromise (EAC) scams between May 2018 and July 2019. Over the three-year period leading up to July 2019, companies lost at least $26B to such attacks.

Facing a Cross-Industry Problem

No two BEC scams are exactly alike, and both small businesses and big companies can be targets. Manufacturing and construction firms are most commonly affected, in terms of industry, but organizations across all sectors are regularly infiltrated by attacks.

In 2019, for example:

  • A Chinese venture capital firm lost $1M–intended for an Israeli startup it was investing in–to scammers who used lookalike emails to communicate with parties on both sides of the transaction (effectively taking control of the conversation).
  • After their CFO plugged his Microsoft credentials into a phishing URL, Unatrac Holding Limited (UK-based export sales office for the construction equipment company Caterpillar) fell prey to a fake-invoicing scheme – issuing 15 fund transfers totaling nearly $11M in losses.
  • Scott County Schools in Kentucky lost $3.7M in a vendor-payment scheme that included forged documents attached to emails. Criminals stole $1.75M from St. Ambrose Catholic Parish in Ohio using similar tactics just weeks later (tricking Church leaders into thinking that the construction firm it was working with had changed its bank account).

Even some of the world’s most sophisticated tech companies have been had by BEC criminals. An elaborate scheme involving “a fake company, fake emails and fake invoices,” for example, fleeced Google and Facebook out of $100M between 2013 and 2015.

The threats of ‘CEO Fraud’ also extend further than just the financial losses.

BEC scams succeed because they target specific individuals in the business, and use what they get from those targets to extract more–more sensitive information (or more emails about it), more system or account credentials, and so on. The communications may lead to a single transaction, or drag out the conversations to manipulate people into offering up more compromising information. C-level executives are hardly the only leaders targeted, either; HR professionals, IT staff, payroll teams, and anyone in the finance department may have information BEC scammers want to obtain.

Depending on what that information is, BEC attacks can lead to further data breaches and/or the exposure of customers’ personal or financial details. This can be especially damaging for companies in regulated markets like finance and healthcare, as they are subject to steep fines (and the potential for major reputational damage) in the event of such security incidents.

Best Practices to Avoid Business Email Compromise Attacks

Staying ahead of email-security incidents starts with training, and continues with technology.

Companies must ensure that all leaders and managers who access sensitive data or authorize transactions are trained on both basic email-security best practices, like not clicking unknown links, as well as BEC-specific strategies–such as close-reading the ‘from’ and ‘reply-to’ addresses on any emails related to things like pay requests or log-in information. (A full 60% of BEC attacks do not involve a link.)

Slowdowns for authorization should be part of every companies’ processes, as well. Since long trails of emails may precede the sending of account details or wire instructions in BEC scams, requiring multiple parties to review transactions prior to their actual completion is essential to prevention.

IT systems that monitor for common BEC keywords (like “important” and “urgent”) can help by firewalling problematic emails or flagging certain ones for multi-party review.

Requiring multi-factor authentication for logging into email and other web-based systems can limit the potential for account takeovers, as well, but it isn’t a foolproof hedge against credential theft (which is rising, according to Verizon). Experts advise IT leaders to test internal teams with simulated email scams regularly to learn which staff members are most prone to falling for a scam (and thus most in need of extra training).

Since BEC scams are getting more sophisticated all the time, simulating new ones may take some creativity. Security trainers are wise to emphasize the rising risks relating to big events, for example: As with the defrauded Chinese VC firm, hackers are increasingly using real information about investment deals or M&A activity to compromise those future events–sometimes even attaching documents to their emails that simulate real confidentiality agreements or contracts.

Staying Prepared for the Future

Email scams are, unfortunately, here to stay. In fact, CEO fraud and other EAC efforts will likely become vehicles for even more complex attacks in the years to come–as emerging trends like deepfake audio and real time payments combine to create new threats.

As those threats emerge, innovators will create tech-driven countermeasures to combat them. Already, companies offer artificial intelligence (AI) and machine learning tools aimed at the BEC problem; startups are also exploring how new approaches to data science can assist with prevention and detection.

Even as the technology advances, however, there’s no substitute for careful scrutiny. A strong culture of diligence when it comes to email security is a company’s best protection against CEO fraud and the impact it can have on your company’s success. 

The views expressed by the authors are not necessarily those of Fifth Third Bank, National Association and are solely the opinions of the authors. This article is for informational purposes only. It does not constitute the rendering of legal, accounting, or other professional services by Fifth Third Bank, National Association or any of their subsidiaries or affiliates, and are provided without any warranty whatsoever. Deposit and credit products provided by Fifth Third Bank, National Association. Member FDIC.