It’s a cruel technique that hackers have been using to shake down SMEs for years, though now the cyber-security world is seeing CEO Phishing develop frightening new forms. We don’t mean to panic you but…
As the boss you are of course responsible for everything your company does. However, don’t forget that your staff are accountable for everything they do, and that they feel a great deal of responsibility for doing the right thing.
Say your assistant receives an email from “your” account, referring to funds or files that only “you” could know about and demanding they send over whatever “you” are so urgently requesting – what do you expect them to do?
If they choose to ignore it, they could have prevented a significant cyber-attack and be due a massive handshake from yourself. However, they may instead have ruined a pivotal deal or lost you a new client.
Preying on your Staff
Hackers recognise there is a delicate balance between the demands of a boss and the drive of their staff to do well. So when a CEO Phisher targets the right person at the right time, there’s not much that can be done.
The whole ploy counts on your staff wanting to impress you, so if it works it’s kind of a compliment too – right?
How CEO Phishing Works
Phishing is a more effective hack than ever in our ever-changing tech-oriented landscape, costing UK businesses over £1 billion every year.
Whether using a request to update your password or with news you’ve won some competition, the modern Phishing email can be near-impossible to spot. And once you’ve been infiltrated, hackers can target your staff at their leisure with email requests for funds or files.
They can reach out to your entire team or hone in on a particular member of staff – perhaps one who routinely conducts transfers, or someone new and more likely to carry out requests without checking.
It could happen when you’ve taken the afternoon off or while you’re out of the country for a week – by looking at your calendar, a hacker can lie in wait and plot the perfect time to strike. They will then usually follow up the email from "you" with a phone call that "you" told them employee to expect. They then instruct the employee on the details of the transfer, and money is taken over the phone.
They can take internal aim, as most do, or pose as yourself while interacting with other businesses. Just last week, a high-profile case in Kansas saw a man pose as the CEO of a local finance firm and convince county office employees to transfer over half a million dollars into a bank account.
If it’s so simple to trick a government office, imagine how easily this technique works on SMEs with busier staff and less stringent security!
CEO Phishing offers greater potential for disaster than ever with the approach of tax season, with staff all scurrying to get the relevant information sent off and more susceptible than ever to an angry email from “the boss.”
America is currently suffering from a new form of CEO Phishing that combines impersonation with the large-scale farming of personal tax information.
Just last week an employee payroll manager at Scotty’s Brewhouse was unfortunate enough to respond to a request from his boss for the W-2 forms of his 4,000 employees neatly arranged in PDF format. Of course, it wasn’t his boss at all but a well-timed example of CEO Phishing combined with W-2 fraud.
Personable and approachable bosses are those who weed out the most potential attacks so promote communication and let your teams know what you will never ask for via email.
What can I lose?
CEO Phishing is usually a small-scale operation with the hacker looking to achieve a few transfers then get out of there quick, but it all depends on what the hacker wants.
From funds or personal information to sensitive company patents or secrets, the scale is open-ended. And the new wave of W-2 attacks Stateside do not instil us with confidence. While exclusively Stateside right now, we can expect similar attacks to hit our shores this year.
Whatever way you look at it, it’s a potentially expensive and embarrassing occurrence, so let’s make sure you avoid getting hooked.
What can I do?
As with all social engineering attacks, the best form of prevention is awareness. Here’s a couple of tips to prevent CEO Phishing as well as promote workforce communication!
Train Your Team – With some simple training, your employees can spot signs of a potential threat and respond accordingly. Work with your IT head to organise security workshops and make sure you take part too.
Check how Cyber Aware Your Organisation Is - Click on the button below to try our grader and get your free report!
Ensure You Sound like You – Give your emails a personal touch so staff know it’s you! Set up guidelines on how to handle emails involving transfers and sensitive information and stick to them.
Double up on Authentication – Introducing two-step authentication for important mails and transactions will also help to weed out phony domains and prevent your staff from being played.
Put Yourself in Their Shoes – CEO Phishing puts your staff in an awkward position where calling out “your” email as suspect will either make them very rewarded or make them feel stupid, so encourage an open discourse!
Tell your employees to trust your gut and most of all, not to be afraid to check in with you.
How We Can Help
Phishing is a very persistent form of hacking that shifts with the times, and it’s not just at work that you’re at risk. Right now the UK is being swept by a Gmail hack that’s been noted as one of the most convincing attacks ever, fooling even experienced technicians.
You can subscribe to our email newsletter for frequent tips on improving your cyber-security. Our informative letters feature exclusive videos, guides, industry reports and more so that you can keep your business up to speed and safe.