Five CEO scams to watch out for

John Wilson at Fortra explains that as we close out the year, business leaders need to stay more alert than ever to CEO fraud

Everyone is rushing to finish the year strong, and attackers are counting on the fact that no one wants to ruin their boss’ day. Unfortunately, our knee-jerk attentiveness is what can get us into trouble. Here’s the scenario; you receive an urgent request from your CEO asking you to perform an action with details that are sketchy at best. If this doesn’t ring alarm bells, it should! 

CEOs are a favourite target – and weapon – of attackers because of their unique position within the corporate hierarchy. Here’s what you need to know about this growing fraud favourite, and five of the most common CEO scams to watch out for.

CEO fraudsters: underprepared and dangerous

The statistics demand to be taken seriously; yet how scammers scrap up those numbers may be surprising. Let’s look at how much CEO fraud costs. Keep in mind that CEO fraud takes many different forms.

Our first type of fraud, Business Email Compromise (BEC), is just one common type of fraud. And yet diving into BEC numbers alone will show how deadly the CEO scam category can really be.

The most recent FBI Internet Crime (IC3) Report revealed that BEC accounted for total losses of over $2.7 billion in 2022 alone. By comparison, the “Boogey Man” that is ransomware only exacted a seemingly paltry $34.3 million (amateurs...). BEC – just one form of CEO fraud – costs over 78 times more than all the ransomware attacks put together. That’s a force to be reckoned with.

So, just what type of highly evolved threat are we dealing with? The answer might surprise you. When the Verizon 2023 DBIR noted that 74% of breaches originated from human error, they weren’t kidding. 

Most CEO fraud schemes are not particularly well thought-out. The scammer Googles the name of a company’s CEO, then uses a free trial of a marketing service such as ZoomInfo or Lead411 to gather a handful of contacts in HR or Finance, depending on the scam they are attempting.

Next, they send out a batch of templated emails, usually from a free webmail account. In this scenario, the amount of research they’ve done is minimal, because they are counting on volume rather than quality. Typically, their bet pays off.

A somewhat more recent trend is to send their requests via SMS to the employee’s personal mobile device or send an email to the personal email address of the employee. They most likely gleaned this information quite benignly from LinkedIn (no super-scammer skills here), and there’s a chance they don’t even realise it’s the employee’s personal mobile or email.

These schemes can be more effective because they avoid the usual corporate email controls and hit us unaware – on a personal playing field where we usually feel safe reading our colleagues’ and friends’ messages.

Of note: The majority of these requests originate from West Africa. You may be tempted to block any messages originating from Nigeria, Côte d’Ivoire, and Benin, but sadly, it is not so easy. Most free webmail services hide the true originating IP address of the message, ostensibly to protect their users’ privacy. The scammers behind CEO fraud typically use VPNs and proxies, including residential VPNs and remote desktop solutions, making it difficult to ascertain their true location even when their client IP address is correctly reflected in the email headers. 

While it may take fancy adversarial techniques to get around today’s sophisticated threat detection engines, it unfortunately only takes a little time, creativity, and persistence to get around us. The moment our guard drops, even for our “CEO”, attackers step right in. 

And this is what they do.

Four more common types of CEO fraud

As well as BEC fraud, the most common CEO fraud scams in order of frequency are the gift card scam, payroll diversion scam, fake invoice scam, and aging report scam.

Gift card scam

Gift card scams break down into three main lures:

• The “CEO” needs a gift for a friend or relative’s birthday. There’s usually a sad story about cancer, covid, or a death in the family woven into the story.
• The “CEO” needs gift cards to reward some staff members. The victim is told to keep it a secret because the CEO wants the gift to be a “surprise”. Well, it will be. 
• The “CEO” needs gift cards to give to clients. Sometimes they mention a client presentation.

Payroll diversion scam

The payroll diversion scam is quite straightforward. Those working on the payroll team have seen it: “I recently changed banks and wish to update my direct deposit.” The CEO used to be the title of choice in 90% of these, but due to better email security, many threat actors have pivoted toward impersonating mid-level managers or front-line workers as their primary lure.

Fake invoice scam

The fake invoice scam takes three primary forms:

• A bogus reply-chain that makes it appear as if the CEO is being pestered by a legitimate company for payment. The "CEO" forwards this chain to someone in finance and tells them to issue the payment immediately.
• The "CEO" claims they owe an "outside consultant" money; Can you pay the consultant today as it’s overdue?
• The "CEO" claims the company is involved in some sort of M&A activity, but to avoid losing the deal money must be wired right away. Everything must be kept super-secret of course. 

Aging report scam

The aging report scam occurs in two phases.

1. Phase I: The attacker will pose as the CEO, then ask members of the Accounts Receivable (AR) team for a copy of the AR aging report so they can "do some research". 
2. Phase II: Now posing as the AR clerk they tricked in phase I, the attacker will then contact all the customers on the report asking for payment. The ones who respond are told the company has updated their payment instructions. As an incentive – and to add urgency – the customer is sometimes offered a 10-15% discount for prompt payment.

These highly lucrative tricks gamble on human nature, and they win – $2.7 billion dollars of the time. It’s clear who has the gambling problem. But with odds like these, who would stop?

The House always wins (or it should)

Attackers are gamblers, and we are the house; that’s IT, security, employees, and the CEOs themselves. We need to know our craft. We need to know our enemy. And we need to know enough so that we don’t get taken in. CEO fraud is largely a battle of wits, and we need to have ours about us.

It’s also a matter of who you let in the door. You need a robust security awareness programme to ensure employees know what to look out for, and who to report suspicious activity to. They also need to understand what’s required from a compliance perspective, and how to correctly process payments.

Finally robust email security solutions should be in place so that between people, processes, and technology, you can ensure the House always wins. 

John Wilson is Senior Fellow, Threat Research at Fortra

Main image courtesy of iStockPhoto.com