How does CEO fraud work?
The big difference between CEO fraud – also known as business e-mail compromise – and familiar forms of phishing is the amount of attention that the crooks pay to the companies they pick on. Fraudsters sometimes spend months collecting information about a target and preparing their hit. The fraud usually starts with a fake e-mail purporting to be from one of the organisation's directors or executives. The e-mail is sent to a manager or someone else working in the finance department, who is asked to transfer a large amount of money, typically to a payee abroad. If the recipient is suspicious about the message, it's often followed up by a phone call. The caller pretends to be from a reputable third party, such as a law firm (which doesn't really exist). Everything is done in a way that's credible enough to persuade the employee to arrange the transfer. The amounts involved can run into hundreds of thousands, which aren't covered by victims' insurers.
CEO fraud is on the rise all around the world. The total amount so far lost by the companies affected probably now runs into billions. Victims include a number of Dutch companies, and the National Cyber Security Center says that dozens of firms have been approached in the last few months. Many of those hit are big multinationals, but small and medium-sized companies can be targeted as well.
Why do people do what the fraudsters ask?
Not long ago, SIDN itself was targeted by CEO fraudsters. Fortunately, the employee who received the e-mail was very alert. And the message claiming to be from our CEO Roelof Meijer wasn't very convincingly written. But some of the people perpetrating this kind of fraud are a lot more professional. They use psychological tricks to try to win trust, such as including real details in their 'patter'. They might refer to the CEO's appearance or communication style, for example. Or they might drop in the names of other people working in the organisation. By using tactics like that, the criminals manage to make their payment requests seem legitimate. Another factor is that the targeted employees often have very little contact with their CEOs and are nervous about simply picking up the phone and calling for verification. No one likes to upset the 'big boss', after all.
Beware of 'spoofing'
Fake e-mails often succeed in tricking employees because they look as if they really do come from the CEO. Some CEO fraudsters are even able to 'spoof' the CEO's real e-mail address. So the employee gets a message that not only looks and sounds as if the CEO wrote it, but seems to come from the CEO's address. Fortunately, there are several open standards that can reduce the risk of spoofing: DKIM, SPF and DMARC. The standards tend to be used in combination to verify whether the mail host used matches the sender's domain, and whether the message content has been modified in transit. All three standards use the DNS system to publish information on line. To minimise your risk, we strongly recommend using the standards in combination with DNSSEC, a security extension to the DNS.
A lot of e-mail client software supports DKIM, SPF and DMARC. If you visit the website internet.nl, you can check whether the standards are used for your domain. To start using the standards with your domain and e-mail service, it's usually best to contact your internet service provider, or to put your system manager in contact with them.
Remain alert at all times
Most CEO fraudsters use fake e-mail addresses. As in phishing scams, it can be hard to spot that the addresses used are fakes. That's often because they come from domains whose names are like the target company's name, but with something added, e.g. @nl-companyname.com or @m- companyname.nl. Or with a number instead of a similar-looking letter, e.g. a zero instead of the letter 'o', or a '1' instead of an 'l'. The main way to protect yourself against messages like that is to be alert at all times. Always check who a message is from, especially if the message includes an unusual request. Is the e-mail address correct? Is the sender's name spelled correctly? And, if you are suspicious about a request from your CEO, give him or her a call on a number that you already know.
DBS cuts the risk
A company that wants to reduce the chances of falling victim to CEO fraud is well advised to consider SIDN's Domain Name Surveillance Service (DBS). DBS is a monitoring tool that warns you whenever a domain name is registered that's very similar to your company name or brand name. By default, DBS flags up only .nl registrations. However, DBS also supports all the other big internet domains. The service opens the way for users to act promptly. By taking this initiative, we aim to reduce the risk of employees receiving fraudulent e-mails that include requests for the payment of large sums.
Want to find out whether our Domain Name Surveillance Service would suit your organisation? Visit https://www.sidn.nl/en/DBS.