Imagine that cybercriminals send an email to your company’s accountant and pose as a senior company manager. In the email, they order him/her to make a transfer (possibly worth millions) to an account. The accountant does it and the company loses a lot of money. Does it seem implausible to you? It’s real, and this type of attack, known as ‘CEO fraud’, has become one of the most commonly used resources by cybercriminals.
It works in the following way: the attacker impersonates the identity of someone with high decision-making power, through an email address that looks similar to the CEO’s personal one, a fake phone call or a similar technique. Next, the cybercriminal asks this person to do a deposit or send materials somewhere specified by him/her.
It might sound simple, but it’s not. Preparing this fraud can take months, or even years. Criminals carry out an exhaustive monitoring of the chosen CEO: they investigate him/her through social media (both personal and the company’s), study his/her commercial relations with other companies, and even learn the way he/she speaks, where he/she lives, or his/her personal situation.
In order to avoid this fraud, the best thing you can do is use common sense (verify the data, if it concerns significant amounts of money or sensitive information; and suspect if you see the language used in the email is not the usual), and comply with your company’s security protocols.