CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, 或者发送机密的税务信息.
The FBI calls this type of scam "Business Email Compromise" and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through 社会工程 or computer intrusion techniques to conduct unauthorized transfers of funds.”
根据联邦调查局的统计， CEO诈骗现在是一个260亿美元的骗局. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses. 这一骗局在全美50个州和150个国家都有报道. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 来自大约140个国家的银行.
Understanding the different attack vectors for this type of crime is key when it comes to prevention. 坏人是这样做的:
Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, 信用卡提供商, 快递公司, 执法, 和美国国税局是几种常见的. A phishing campaign typically shoots out emails to huge numbers of users. 大部分都是写给不使用那家银行的人, 例如, 但绝对是数量上的优势, 这些邮件会到达一定比例的潜在候选人.
这是一种更为集中的网络钓鱼形式. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. A 鱼叉式网络钓鱼 email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client.
Here, 坏人的目标是高管和行政人员, typically to siphon off money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.
在安全上下文中， 社会工程 means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of 社会工程 might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
你知道其中一个吗 first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.
Now they can launch a "CEO fraud" 鱼叉式网络钓鱼 attack on your organization, 这种攻击是很难防御的, 除非您的用户接受过高度的“安全意识”培训.
首席执行官并不总是罪犯的目标. There are four other groups of employees considered valuable targets given their roles and access to funds/information:
The finance department is especially vulnerable in companies that regularly engage in large wire transfers. 经常, sloppy internal policies only demand an email from the CEO or other senior person to initiate the transfer. Cybercriminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. 它们反映了通常的电汇授权协议, hijack a relevant email account and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorized to transfer funds.
Human 资源 represents a wonderfully open highway into the modern enterprise. 毕竟, 它可以接触到组织里的每一个人, 管理员工数据库，负责招聘工作. As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering activities. 此外，W2和PII诈骗已经变得更加普遍. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email addresses to criminal 组织.
Every member of the executive team can be considered a high-value target. 许多人拥有某种金融权力. 如果他们的电子邮件账户被黑, it generally provides cybercriminals access to all kinds of confidential information, 更别提可能正在进行的交易的情报了. Thus executive accounts must receive particular attention from a security perspective.
拥有访问控制权限的IT经理和IT人员, 密码管理和电子邮件帐户是进一步的高价值目标. If their credentials can be hacked, they gain entry to every part of the organization.
长期以来，病毒和恶意软件防御一直被视为纯粹的IT问题. Some 组织 do appoint Chief Information Security Officers (CISO), however information security is often viewed as a challenge that lies well below board or C-level attention.
The events of recent years have highlighted the danger of this viewpoint. With the FBI warning corporations that they are at risk and so many high-profile victims in the news, 组织, 由他们的CEO领导, 必须将网络风险管理融入日常运营中吗.
另外, companies must take reasonable measures to prevent cyber-incidents and mitigate the impact of inevitable breaches. The concept of acting “reasonably” is used in many state and federal laws in the United States, 澳大利亚, 和其他国家. 指责IT人员或员工并不是什么辩护. CEOs are responsible to restore normal operations after a data breach and ensure that company assets and the company's reputation are protected. 如果不这样做，就有可能诉诸法律.
Let’s put it in these terms: a cyber breach could potentially cause the loss of a bid on a large contract, 会损害知识产权(IP)和收入损失吗, 这只是其中的一些影响. That places cybersecurity firmly at the top of the organizational chart, 类似于所有其他形式的公司风险.
坏人越来越有创造力了, impersonating an executive in your organization and asking for financial reports or they ask employees in payroll to make changes to bank accounts. 根据联邦调查局的说法, their efforts have earned them an estimated $12 billion through Business Email Compromise also known as CEO fraud scams. Defending against these types of phishing attacks is possible by layering technical and non-technical controls.
减少风险的努力大多集中在技术方面. However, these technology safeguards must be supported by what is known as the human firewall. Regardless of how well the defense perimeter is designed the bad guys will always find a way in. 他们知道员工是任何IT系统中最薄弱的环节. Thus, cybercriminals continue to rely on phishing and other tricks from the 社会工程 playbook. The following is a MINIMUM of what to have in place to protect yourself:
Did you know that 91% of successful data breaches started with a 鱼叉式网络钓鱼 attack? Find out what percentage of your employees are Phish-prone™ with your free phishing security test. 找出你的员工中有多少比例的人是网络钓鱼的常客.
Why? 如果你不亲自动手，坏人会动手的. Take the first step now to significantly improve your organization’s defenses against cybercrime.