CEO frauds cannot be avoided by routines alone

Swedish bank SEB (part of the Swedish “Big 4”) and tech news site BreakIT are reporting on the rise of “CEO frauds”. Read it here.

According to the article, the number of reported cases to the Swedish Trade Federation has increased from 100 cases in 2015, to 1 000 cases in 2016, an increase superseding 1000%!

For those not familiar with CEO fraud, it is usually carried out by impersonating a senior executive of a firm, with the aim to defraud an organization or to plant malicious software inside company business systems.

In order to prevent frauds, the Swedish Trade Federation recommends setting up internal routines and raising awareness within the organization.

These recommendations are of course commendable. Increased awareness about these issues is vital in order to mitigate and prevent fraud.

However, with increased regulation of data management on the horizon, proactive measures to increase cybersecurity is key.

Furthermore, apart from the internal perspective, there is also an external one. Even if you have a high level of awareness, as well as the best routines in place, what about your partners and customers? You have to ask yourselves how a potential fraud using your brand can affect the credibility of your brand, as well as the relationship with your business partners.

The recommendations stated in the article only takes into account CEO frauds that origin from email addresses “similar” to that of the CEO of CFO. In our experience, the most successful tactics are those frauds that are derived from email addresses exactly that of the CEO or CFO. It is hard (but not impossible) to prevent emails from people using cybersquatted similar domain names, registered to look like that of your organization. It is however possible to prevent imposters from using your domain name, known as “business email compromise”.

There are a number of technical measures that can be adopted to limit the vulnerability of business email compromise.

A comprehensive analysis of the business email flow and system is a good first step towards defining a holistic strategy regarding email compromise vulnerability.

Implementing a combination of organizational and technical measures can in turn ensure “best practice” when it comes to protecting business flows, and further avoid the risk of a CEO fraud.