Cybercriminals keep coming up with new methods to deceive and defraud businesses.
One such method gaining in popularity are executive impersonation attacks, also known as “CEO fraud,” where criminals use hacking techniques to impersonate business executives and gain access to sensitive information and money.
According to the FBI’s Internet Crime Report 2022, a common type of executive impersonation Business Email Compromise (BEC)/Email Account Compromise (EAC) attacks cost businesses a whopping $2.7 Billion.
Executive impersonation attacks don’t only damage businesses financially; they can also affect an organization’s reputation and its customers and business partners.
This blog will define executive impersonation, show you real-world examples of how criminals use this tactic, and suggest methods you can use to protect your business.
What Are Executive Impersonation Attacks?
Executive impersonation attacks are a method used by criminals who impersonate business executives, company leaders, or just a general boss or superior.
As an example, consider an employee who receives an email, which appears to be from the CEO or the CFO, asking for information or a money transfer. The request is urgent, and the situation described in the email is out of the ordinary. The sense of urgency drives the employee to comply with the request. Only later the employee starts to think rationally and regrets their actions.
In addition to email, criminals can use several methods to impersonate business executives, such as fake social media accounts and job posts.
Executive impersonation relies on a cognitive bias that influences how employees respond to persons with authority, such as CXOs, directors, and managers. Oftentimes executive impersonation attacks can also come from a member of the HR of finance team, because of their relation to money and company data.
Even though this bias is desired in business settings – organizations cannot function without deference to authority – it does have its disadvantages.
You can use different methods, which the article will cover later, to protect your business from executive impersonation attacks.
What is Driving the Increase in Executive Impersonation Attacks?
Several factors are driving the increase in executive impersonation attacks happening to business around the world.
Information available on the web
Criminals use the wealth of personal and business data available on the Internet and social media to learn about businesses, their employees, and business partners. They use this information to plan their attacks and to convince their targets about their legitimacy and authenticity.
Remote work
The pandemic was the driving force behind remote work. With reduced in-office presence, employees could only communicate through electronic means and the Internet. Cybercriminals used this as an opportunity to target businesses with executive impersonation attacks.
The same holds true for the job application process. During the pandemic, the entire job application, interviewing, and onboarding process turned digital, allowing for job opportunities to expand, but also giving way for hackers to target each part of the process.
Even though the pandemic is over and employees are returning to offices, remote work is still popular and will remain so. Therefore, businesses must guard themselves from all existing and emerging cyber threats.
Low-risk crime
Executive impersonation carries a very low risk for the perpetrator: it is based on unexpected attacks that demand urgency. In most cases, victims comply with the request for information or money within an hour, after which the criminal can quickly “disappear.”
Authority bias
Humans have several cognitive biases, which are systematic errors of thinking or tendencies that drive people to make decisions or act irrationally.
One such cognitive bias is Authority Bias, a tendency to follow the instructions, suggestions, or advice of persons in positions of authority, such as senior management, teachers, doctors, policemen, or government officials.
Most business employees are unlikely to question requests or instructions from someone who is or is perceived as part of senior management. This is especially true when perpetrators use emotive language, promise future rewards, and request urgent action under “exceptional” circumstances.
What Methods are Used by Criminals for Executive Impersonation Attacks?
Cybercriminals use multiple methods to impersonate business executives and gain sensitive data, making it hard to defend against the onslaught of executive impersonation attacks. In order to arm your workforce, and business, against executive impersonation attacks, the first step is identifying the different types of attacks.
Business email compromise (BEC)
Despite its many shortcomings, email is still the workhorse of corporate communications.
Criminals use BEC, or email phishing, by spoofing or hacking an executive’s email account to trick employees into revealing sensitive information or transfer payments.
BEC often targets specific individuals with emails that are highly convincing and can contain attachments infected with viruses or links to malicious websites.
Fake social media accounts
In today’s world, nothing matches social media’s global reach and influence. Billions use social media daily for information sharing, education, entertainment, and network and relationship building.
Business executives use social media to network and promote their businesses.
Criminals also use social media to impersonate respected and well-known business leaders, reach large audiences, and spread fake news that damages businesses financially and harms their reputations.
Fake job scams
Challenging economic conditions often cause people to act irrationally and impulsively. Bad actors use such human frailties to their advantage and gain at the expense of their victims.
Criminals use fake social media profiles or email accounts – that seemingly belong to reputable companies or their executives – to contact vulnerable workers into revealing personal information such as bank account numbers, date of birth, and social security numbers. They also often ask for a one-time upfront fee, such as an application or job training fee.
Real-World Examples of Executive Impersonation Attacks
Security and IT teams can proactively create defenses against executive impersonation attacks by analyzing how businesses have been scamed in the past.
Let’s take a look at some real-world executive impersonation attacks targeting major corporations:
- Toyota: In 2019, Toyota Boshoku Corporation, a European subsidiary of the Japanese giant, fell victim to a $37 million BEC scam. While Toyota did not reveal details about the exact method used by the scammers, it is evident that the scammers used social engineering to impersonate executives and targeted specific individuals to comply with their requests.
- Google and Facebook: Between 2013 and 2015, the two tech behemoths lost $121 million to a Vendor Email Compromise (VEC) attack. The perpetrator set up a fake company with the same name as an actual hardware supplier and created fake contracts and legal letters to get banks to accept payments. They then sent invoices to Facebook and Google, which were duly honored.
- Unnamed European corporate victim: In March 2019, criminals used AI-based Deepfake Voice technology to impersonate a company’s CEO’s voice. A phone call was made to the CEO of a British subsidiary, demanding an urgent €220,000 payment. The victims’ insurance provider declined to name the victims.
How Can Executive Impersonation Damage Your Business?
Executive impersonation attacks pose a multi-faceted threat to businesses and can cause significant damage:
- Financial loss: Executive impersonation attacks often lead to substantial financial losses. Once the funds are transferred, they are difficult to recover.
- Reputation damage: Business reputation can suffer if customers and business partners perceive a targeted organization as vulnerable to cyber threats.
- Data breaches: Leakage of sensitive data such as login credentials or proprietary information can lead to data breaches and the potential for further legal and regulatory consequences.
- Operational disruption: It can disrupt business operations if the attack involves manipulating employees into taking specific actions – such as altering payment processes, diverting shipments, or disclosing sensitive information.
- Legal and regulatory consequences: Failure to protect sensitive information can result in fines and legal and regulatory repercussions.
- Loss of productivity: In the aftermath of an attack, businesses must spend time and resources to provide cybersecurity training for employees, investigate the attack, and regain customer trust, leading to losses in productivity.
- Supply chain compromises: Attackers can use compromised credentials to send fraudulent requests to business partners, suppliers, or customers, affecting multiple entities.
- Emotional and psychological impact: Employees who fall victim to impersonation attacks can experience several emotions, including stress, guilt, and anxiety. This can harm their well-being and job performance.
- Loss of competitive advantage: Competitors can exploit sensitive business information or intellectual property disclosed during an attack, leading to a loss of competitive advantage.
How Can You Prevent Executive Impersonation Attacks?
To protect against executive impersonation attacks, businesses must implement systems for
- Training: Cyber threats are evolving daily. Regular employee training is mandatory to keep them informed about existing and emerging threats and standard operating procedures (SOPs) for responding to attacks.
- Financial control: Appropriate financial controls must be implemented that require authorization from multiple executives/nominees before any financial transaction can be completed.
- Cyber-security: Businesses must implement the latest technology that deals with traditional cyber threats, as well as emerging methods that use AI and machine learning (ML) to disguise, speed up, and automate attacks.
At Bolster, we help organizations defend against executive impersonation attacks by monitoring for misuses of your brand, and your executive’s digital assets. When potential threats are detected, we will alert your team and initiate takedowns automatically.
To learn more how Bolster can help you business defend against executive impersonation attacks, request a demo with our team today.