Sometimes it’s hard to believe the stories we read. In the case of CEO fraud incidents, cybercriminals earn double-digit sums in the millions by persuading employees that they are acting on behalf of the CEO or another senior manager. Employees then transfer the required amount to an alleged account of a partner or supplier, based only on an e-mail or telephone request without seeking reassurance. CEO fraud follows a similar method to telephone cons targeting the elderly but causes significantly higher financial damage. In mid-2016, an international network was unraveled which was alleged to have earned USD 60 million through the cybercriminal methods of Business Email Compromise (BEC) and CEO fraud. Similar attacks are now occurring on a daily basis in Germany, with similar dramatic consequences. An estimated EUR 40 million has already been lost by German SMEs due to this type of fraud according to the Association of the Internet Industry in Europe (eco). This is all the more surprising since the trick has been widely publicized since the end of 2015. By now, such a request shouldn’t raise more than a tired smile, just like the 419 fraud e-mails which promise unbelievable interest on million-dollar investments abroad.
It is questionable whether employees will continue to fall for such primitive fraud methods. However, there are two obvious lessons that can be learned from CEO fraud: On the one hand, internal processes need to be improved so that an employee cannot make such large transactions alone without verification. On the other hand, it seems that many employees fear dealing with executives in many companies. It seems they would rather give away millions of company money rather than seeking confirmation via official channels. Processes can be optimized quite easily, however cultures are hard to change. A long-term awareness campaign with the right audience and content could help. This could inform executives and employees of potential threats and increase their awareness of the risks they may encounter.
Awareness campaigns are also important because they prevent employees from seeing themselves as a mere risk factor for the company. Employees should not be the weakest but the strongest link in the security chain. It is not a matter of pointing out errors in behavior but of demonstrating potential risks. Employees will then be able to respond effectively to risk situations. Awareness campaigns can also educate employees that security measures are not time-consuming nuisances which may protect them from the consequences of judgmental errors. For example, it may be annoying that the company network is only accessible via VPN and that this requires a password and a token each time, however this also limits the damage a thief can cause with a stolen mobile device. A laptop might be gone, but there are no further consequences after the theft. This makes sure employees, administrators and management can sleep easily at night.