In a rapidly evolving digital landscape, cyber criminals constantly seek new targets to exploit and high profile individuals such as company CEO’s have become prime targets. These executives possess valuable assets, sensitive information and hold significant decision-making power which makes them attractive targets for cyber criminals seeking financial gain or corporate espionage.
Many of you will be aware of the phishing tactics used to target general employees, but are you aware of whaling? whaling targets the “Big Fish”, the executives at board level. These are usually highly personalised attacks where the fraudsters have done their homework and will have pulled all kinds of personal & corporate information from the web. The criminals use these privileged credentials to contact employees or impersonate the CEO to make requests for information, tricking employees into making money transfers or giving away confidential information.
Whaling attacks are carefully drafted to appear to come from a trusted source, such as another executive in the company. There will be an established relationship, so the recipient inherently trusts the message simply because they believe who it appears to come from. These attacks exploit authority and trust to bypass security measures and direct funds or sensitive information to their criminal network.
This is exactly what happened to a British CEO when the cyber criminals took “whaling” to a whole new level. Using AI generated audio fraudsters were able to mimic the voice of the parent company CEO. The CEO who took the call genuinely believed he was talking to his boss and did as he was asked which in this case was to transfer $243,000USD to a criminal account!
CEO fraud is on the rise and all CEO’s and board members need to be aware of the dangers in order to avoid getting caught. Most risk mitigation is focused on technological solutions which are of course crucial to have in place, but these measures must be reinforced by a human firewall. Fraudsters are relying on humans being humans and are always looking for new ways to exploit them. So, what steps can you take?
- Cybersecurity Awareness and Training
CEOs must actively participate in cybersecurity awareness programs to stay updated on the latest threats and prevention techniques. This will help them recognise phishing attempts, understand safe online practices, and encourage a culture of cybersecurity within the organisation.
- Policies and Procedures
There should be comprehensive procedures in place for bank transfers and for the handling of confidential information. It should never be possible for a cybercriminal to hijack a corporate email account and convince someone to transfer a hefty sum immediately. A policy should limit such transactions to relatively small amounts, with anything beyond a predetermined threshold requiring further authorisations. There should be more than a one person sign off on large sums. One of these authorisation methods should be via a different channel compared to the original request. So, in the case of the CEO who was scammed by phone, an email to the parent company CEO would have identified the fraud.
Always build in some time for the authorisations of the transfer of funds or confidential data. Fraudsters prey on the fact that people are busy and keen to get stuff done. By building some cooling off time into the approval procedure any necessary checks can be carried out or doubts investigated.
No matter how good your prevention steps are breaches are inevitable, but awareness is the key to limit the effect as much as possible.
Remember not everything is always what it seems!