Cybercriminals have been taking advantage of authority figures within an organisation to put yet another scam in place: the CEO Fraud.

What is a CEO fraud?

The CEO Fraud attack happens in two stages: the exploration and the execution. First, cybercriminals spend enough time online, doing some research to learn more about an organisation and its collaborators. Then they try to reach out to those collaborators, via email, chat services or by phone, to get more specific information about the organisation’s directors, processes to execute a payment and clients and suppliers. After gathering all the needed information to make sure the scam will be a success, cybercriminals assume the identity of a high-ranked person within the organisation to make collaborators more confident and less likely to doubt the origin of the message received. Once in the role of the CEO or a director and after putting their victim at ease, the scammers will try to steal money and/or confidential data.

How to protect against CEO frauds?

1.    Raise collaborators’ awareness on scams that aim to steal confidential information

An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

To help assess the legitimacy of a message, the following questions can serve as a first indication of a scam:

  • Is the sender someone I know?
  • Was I expecting a message on the topic mentioned?
  • Is the message asking for information such as a username, a password or bank account information?
  • Is it urgent?
  • Where does the link lead to? (only hover on it with your mouse, do not click)
  • Is there a QR code in the message?
  • Am I being addressed personally?
  • Does the message contain linguistic errors?
  • Is the message in the Spam / Junk folder?
  • Is someone trying to make me curious?
  • Is a payment requested?

2.    Raise your collaborators’ awareness on signs indicating a CEO fraud

When the demand stated in a message deals with unusual transfers, high amounts of money, unusual reasons to explain the need to receive the money or exceptional circumstances, it is probably a scam.

Signs to help you identify a CEO fraud attack:

  • The sender mentions how confidential the request is;
  • The sender insists on the urgency of the request;
  • You don’t know the sender’s email address or phone number;
  • There is an unusual pressure expressed to provide sensitive information or wire money;
  • You don’t know the bank account to which the money should be transferred;
  • The request happens a Friday evening or the day before a public holiday; and
  • A provider or a client mentions to modify their known bank information for you to transfer the money.

3.    Raise your collaborators’ awareness on how to secure homeworking

The CEO Fraud is becoming easier as homeworking is the new norm. Cybercriminals take advantage of isolated collaborator as it is easier to convince them to execute a payment. However, homeworking can be secured by implementing several best practices, such as enforcing strong passwords and Multi-Factor Authentication for all remote access. Multi-Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

In addition, the organisation should establish guidelines and rules for homeworking so its collaborators adopt the right behaviours, e.g., locking the workstation when leaving it or not leaving any passwords written and accessible.

Finally, the organisation should put security controls in place, such as encrypting all traffic from/to remote worker, enforcing antivirus and local firewall on devices allowed to connect remotely, updating all devices and software as soon as possible, regularly backing up the critical resources and securing the workstations by controlling what can be accessed remotely.

4.    Establish and share clear procedures on the authentication of people requesting a transfer and on the approval to execute a transfer

No matter who is requesting information, collaborators should be aware of the policies in place regarding data classification, information transfer and sharing and acceptable use of information. In addition, having an approval process for wire transfers lowers the chances of falling for this type of scam as someone along the process will always realise that the request is illegitimate and that nothing should be transferred. Finally, a process to verify the identity of the sender should also be in place by, for example, checking their name or bank account against an existing internal inventory or trying to contact them through another mean. Any changes requested to this existing inventory should be approved hierarchically.

5.    Pay attention to what you post online

Social media and an organisation’s website offer an important customer reach. However, it is not possible to always fully control the audience that has access to the information and posts shared. Personal or confidential information shouldn’t be shared on those platforms, as they could be used for malicious purposes, such as identifying which collaborators work in the finance department and would be more likely to be able to make an urgent transfer to their CEO.

6.    Secure the access to your accounts

Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

What to do if you get scammed?

  1. Report the incident immediately to your IT responsible.
  2. Warn your colleagues that they might be getting a message from someone impersonating your CEO or one of your organisation’s directors but that they should not trust it.
  3. Change all the passwords that were given (if any) on all the accounts they are being used.
  4. If the scam was about bank details, immediately contact the finance responsible to inform them of the incident. If you notice that money has been stolen from your bank account, be sure to file a complaint with the police.
  5. If you are the responsible of that bank account, call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.

Always report scams that happened via mail to your IT Responsible and to the relevant national authority ( (EN); (FR); (NL/DE)) and immediately delete it.

The aim of this content is to share and raise awareness of good cyber security practice. 
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.