What is the “CEO Fraud”?
CEO Fraud is a type of cyberattack that can be committed using the methods discussed so far; through Phishing (email), Vishing (phone call or video call) and Smishing (text message or sending a video or audio).
It consists of impersonating a person with a position of authority or responsibility within a private company or public entity. Although it refers to the CEO (Chief Executive Officer), any manager, director, coordinator or even political or public figures can be substituted.
What is intended is that the User fully trusts the communication received, because he/she is a trustworthy person whose request must be attended to. In fact, nowadays and through Artificial Intelligence it is increasingly easy to create false communications using the real image and voice of a person (as we can see in the example image, with faces of celebrities). In addition, in order to prevent Users from having time to think carefully about the response or to detect fraud, requests made by these means are almost always extremely urgent.
What does this imply?
That, if our boss asks us urgently to change a password, download a file, make a transfer or provide some data or information, we will most likely respond as soon as possible, without giving much thought to whether what he/she is asking for makes sense.
How can we detect these attacks?
- Contacting by other means: A call to the person who is urgently requesting something allows us to verify whether it is a fraud or a real request. It is very important that we do not try to do this check by replying to the same message, because we could alert the cybercriminal of our suspicion and it would be worse.
- Applying common logic: Let’s take some time to think about whether what is being requested is usual or even if the channels indicated in corporate policies or work procedures are being used for this type of request. Here are some examples:
-
- If internal procedures indicate that the change of passwords must be requested by mail to a specific support address or by a specific platform, do not trust any calls or text or voice messages that you may receive, without being sure that it is not a hoax.
- If we are prohibited from sending information by Whatsapp or similar services, our superior will never ask us for confidential documents or data by this means.
- If double approval or internal verification is required for transfers, do not change payment details or make such transactions lightly. However urgent they may be.
-
WE REMIND YOU AGAIN: If you believe that you have provided personal or professional information, which you should not have disclosed due to this type of cyber-attack, report it in the work environment notify the IT Dept., CISO or DPO and in the personal environment report it to the police authority .