It’s a cruel technique that hackers have been using to shake down SMEs for years, though now the cyber-security world is seeing CEO Phishing develop frightening new forms.
As the boss you are of course responsible for everything your company does. However, don’t forget that your staff are accountable for everything they do, and that they feel a great deal of responsibility for doing the right thing.
Say your assistant receives an email from “your” account. This refers to funds or files that only “you” could know about and demanding they send over “your” urgent request – what do you expect them to do?
If they choose to ignore it, in the case of a cyber-attack they will have prevented a significant risk to the business. However, they may instead have ruined a pivotal deal or lost you a new client.
Preying on your staff
Hackers recognise there is a delicate balance between the demands of a boss and the drive of their staff to do well.
When a CEO Phisher targets the right person at the right time, there’s not much that can be done, you are reliant on your staff to stay vigilant if you want to avoid falling victim.
The best thing you can do to defend yourself is to invest in Security Awareness Training and constantly remind staff about what they can do to be vigilant.
How CEO phishing works
Phishing is a more effective hack than ever in our ever-changing tech-oriented landscape, costing UK businesses over £1 billion every year.
Whether disguising an attack as a request to update your password, or using news you’ve won a fake competition, the modern Phishing email can be near-impossible to spot.
Once you’ve been infiltrated, hackers can easily target your staff with email requests for funds or files.
They can reach out to your entire team or hone in on a particular member of staff – perhaps one who routinely conducts transfers, or someone new and more likely to carry out requests without checking.
It could happen when you’ve taken the afternoon off or while you’re out of the country for a week – by looking at your calendar, a hacker can lie in wait and plot the perfect time to strike. Usually, they will follow up the email from “you” with a phone call that “you” told the employee to expect. They then instruct the employee on the details of the transfer, and money is taken over the phone.
The intruders can take internal aim, as most do, or pose as you while interacting with other businesses.
A high-profile case in Kansas saw a man pose as the CEO of a local finance firm and convince county office employees to transfer over half a million dollars into a bank account.
If it’s so simple to trick a government office, imagine how easily this technique works on SMEs with busier staff and less stringent security!
CEO Phishing offers greater potential for disaster than ever with the approach of tax season, with staff all scurrying to get the relevant information sent off and more susceptible than ever to an angry email from “the boss.”
America is currently suffering from a new form of CEO Phishing that combines impersonation with the large-scale farming of personal tax information.
An employee payroll manager at Scotty’s Brewhouse was unfortunate enough to respond to a request from his boss for the W-2 forms of his 4,000 employees neatly arranged in PDF format. Of course, it wasn’t his boss at all but a well-timed example of CEO Phishing combined with W-2 fraud.
This style of attack, which only arose in February 2016, has already crippled hundreds of SMEs as well county school systems and other vulnerable institutes.
Personable and approachable bosses are those who weed out the most potential attacks so promote communication and let your teams know what you will never ask for via email.
What can I lose?
CEO Phishing is usually a small-scale operation with the hacker looking to achieve a few transfers then get out of there quick, but it all depends on what the hacker wants.
However you look at it, it’s a potentially expensive and embarrassing occurrence. So, let’s make sure you avoid getting hooked.
What can I do?
As with all social engineering attacks, the best form of prevention is awareness.
Here’s a couple of tips to prevent CEO Phishing as well as promote workforce communication!
Train Your Team – With some simple training, your employees can spot signs of a potential threat and respond accordingly. Contact your IT Support Partner to learn more about Security Awareness Training. Investing in this could save your business financial and reputational damage if you were to fall foul of a hacker.
Check how Cyber Aware Your Organisation Is – Click on the button below to try our grader and get your free report!
Ensure You Sound like You – Give your emails a personal touch so staff know it’s you! Set up guidelines on how to handle emails involving transfers and sensitive information and stick to them.
Double up on Authentication – Introducing two-step authentication for important mails and transactions. This will also help to weed out phoney domains and prevent your staff from being played.
Put Yourself in Their Shoes – CEO Phishing puts your staff in an awkward position. Calling out “your” email as suspect will either make them feel very rewarded or feel stupid, so encourage an open discourse!
Tell your employees to trust your gut and most of all, not to be afraid to check in with you.
How we can help
Phishing is a very persistent form of hacking is constantly evolving, and it’s not just at work that you’re at risk. Get in touch with us to learn more about Security Awareness Training and how it could help your business.