Impersonation fraud, or CEO fraud, has been the scourge of UK boardrooms in recent years, particularly throughout the pandemic.

In this kind of phishing attack, cybercriminals impersonate key individuals within a company to target other employees. They then convince these individuals to hand over private information or convince them to make a wire transfer from the company account.

What is CEO fraud?

CEO fraud is a type of phishing scam where fraudsters use social engineering to convince employees within an organisation to divulge confidential information or carry out a wire transfer. Fraudsters pretend to be a senior figure at the company, for example a CEO or CTO, to establish a relationship with the target.

This scam causes some of the biggest company losses — for small and large organisations alike. In fact, £17.8 million was lost to this type of fraud across the UK in 2019. Employees must understand how these attacks are carried out and how to spot them to keep company information and funds out of the hands of criminals.

How CEO fraud works

Stage 1: Choosing the target

Unlike standard phishing attempts, fraudsters spend a great deal of time researching both their target and the person they intend to impersonate.

In an age where staying relevant online is critical for businesses, information is constantly posted about corporate events, trips and award ceremonies on company websites and employees' LinkedIn pages. Although seemingly harmless, these posts aiming to advertise the company can be used by threat actors to determine when a senior manager will be out of office.

Once they identify who they’re going to impersonate, cybercriminals can explore their network, for example, the company’s sector, partners, transactions and updates. They can then work out who would be the best person to target, in other words, who would have the authority to disclose data or make a payment.

Stage 2: Manipulating the target

Once they’ve set up the perfect environment for the scam, the criminals send an email to the target either by hacking into the executive’s email directly or creating a similar address to appear authentic.

These emails normally contain a request for money or information. Although tricky to detect, they often contain the same tell-tale signs:

Sense of urgency: Cybercriminals want to catch employees off guard. By creating a sense of urgency and using phrases like “ASAP”, these fraudsters can convince their target to follow their instructions without taking a moment to assess the credibility of the request.

Leveraging seniority: There’s a reason cybercriminals go after the accounts of people within the C-suite. They know that requests to more junior employees are far more likely to be followed - even if the request itself is odd or breaks with usual process.

Requests for confidentiality: In these kinds of messages, there’s often a request to keep the transaction secret because it’s a highly confidential matter.

Attempts to bypass protocol: Normally, businesses have strict procedures in place when it comes to disclosing private information and making payments. Fraudsters will claim that there’s no need to follow protocol, for example, due to it being a time-sensitive situation.

Minor details are different: Check for details such as a missing signature, a different tone of voice and a slightly different email domain name. These are all things that could point to a phishing scam.

Stage 3: Employee reaction

Without the employee’s reaction, the phishing scam will fail. Cybercriminals know this, which is why they send “urgent” phishing emails, as employees are less likely to check for phishing signs (including whether the request was reasonable).

Employees might also be lured in by the cybercriminals who try to establish trust in an email chain by mentioning company events or achievements — information that’s readily available online.

When fraudsters emphasise the importance of confidentiality, they dissuade employees from seeking verification as they know a second pair of eyes could help to spot the scam. It also means by the time the phishing attack has been discovered, it’s often too late for security teams to respond.

It’s especially common for new joiners to be targeted by CEO impersonation - and a quick LinkedIn search can easily reveal a list of new joiners to most businesses. These people are easier targets, as they’re less likely to know the usual business processes or be familiar with a CEO’s communication style. They also might be eager to impress and act faster than a more experienced team member.

All of these factors lead to a data leak or a transfer of funds, both of which can severely harm a company’s reputation.

How to prevent CEO fraud

Spam filters are often ineffective against this type of phishing email because cybercriminals use social engineering as opposed to malicious links. They’re relying on a human mistake, rather than finding a flaw in the security defences. However, there are things you can do to prevent this type of attack:

Check the sender email address: Cybercriminals can change the display name, so they might set this to your CEO’s email address or name. Double-check the real email address before replying.
Always verify the information: If you receive an unusual request for confidential information or payment, call the supposed sender to make sure the message is authentic.
Identify key targets: Inform key targets (CEOs, CTOs, heads of departments) of the risk of impersonation and make them aware of the importance of using social media sensibly.
Train your staff: Raise awareness throughout the company of how to spot phishing scams and how to report them. Advise new joiners to be particularly wary of impersonation attempts.
Employ security tools: Use tools like Egress Defend to stay one step ahead of cybercriminals. Unlike spam filters, Egress Defend analyses the content and context of an email to decipher whether it’s a scam. It uses machine learning to take human error out of the equation and keep all users safe from impersonation attempts.