Every day, employees are regularly receiving spoofed emails. Even C-level executives are receiving fraudulent requests to transfer money or provide sensitive information. This form of social engineering is known as CEO fraud and it’s becoming more and more common.
The spike in the number of CEO fraud attempts indicates that cyber criminals are becoming more successful with this tactic than any other form of social engineering. Larger organizations should be especially wary of these calculated attacks given the increased number of people (targets) within the organization.
- Identify Your High-Risk Users: These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas, including a review of social/public profiles for job duties/descriptions, hierarchical information, out of office detail, or any other sensitive corporate data, and identify any publicly available email addresses and lists of connections
- Institute Technical Controls: Implementing tools such as two-factor authentication, email filters, and managing access/permission levels for all employees are some of the ways to ensure the organization has the highest defenses possible against the bad guys.
- Set a Security Policy: Small or large, every organization should establish a security policy. The policy should be constantly reviewed regularly to identify gaps, and to make sure employees follow the policy. It should include things such as:
- Not opening attachments or clicking on links from an unknown source
- Not using USB drives on office computers
- Password management policy (no reusing passwords, no Post-it notes on screens as password reminders, etc.)
- Require security training for all employees
- Review the policy on WiFi access. Include contractors and partners as part of this if they need wireless access when on site.
4. Develop Standard Procedures: IT teams should have procedures implemented to ensure there is order within the organization. Recommended company procedures should include:
- Make staff study security policy and enforce it
- Establish how executive leadership is to be informed about cyber threats and their resolution
- Establish a schedule to test the cyber incident response plan
- Register as many company domains as possible that are slightly different than the actual company domain
5. Training For All Users: No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the dangers of CEO fraud. The best training programs harness user education to make sure any threats are prevented.
Continued education about potential CEO fraud tactics is the only thing that can arm users to stay safe from these attacks. New-school security awareness training can help your employees identify phishing scams instinctively.
Original text by Stu Sjouwerman via Knowbe4