CEO Social Engineering Fraud
Date: Jan 11, 2016
As reported on the BBC New Website, cyber criminals are using publicly available corporate data, including finding out the identities of senior managers and senior financial officers from social networks such as LinkedIn, to successfully launch targeted, social engineering attacks.
In the US, the FBI’s internet crime centre or IC3 has been tracking “business email compromise” scams, as it calls them, and reckons about 7,000 companies have been defrauded of more than $740m (£508m; €682m) over the last two years.
Typical attacks include:
- 1. Someone poses as a boss of a company instructing staff to make a wire transfer into the fraudster’s account
- 2. Fraudsters pose as the IT services department of a bank saying they want to make a test transfer – but it’s not a test
- 3. Fraudsters claim to be a supplier and ask for outstanding invoices to be paid into a new bank account
- 4. Employees click on links within phishing emails containing malware which authorises many small payments to the fraudster’s account
Staff are less likely to question instructions purporting to come from on high, and it’s this psychological manipulation – often accompanied by a sense of urgency – that is a major factor in the fraud’s success.
Businesses, of all sizes, should be vigilant and make sure all IT Users, from the CEO down, receive regular, measurable Security Awareness Training.