NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
Cybercriminals have been taking advantage of authority figures within an organisation to put yet another scam in place: the CEO Fraud.
The CEO Fraud attack happens in two stages: the exploration and the execution. First, cybercriminals spend enough time online, doing some research to learn more about an organisation and its collaborators. Then they try to reach out to those collaborators, via email, chat services or by phone, to get more specific information about the organisation’s directors, processes to execute a payment and clients and suppliers. After gathering all the needed information to make sure the scam will be a success, cybercriminals assume the identity of a high-ranked person within the organisation to make collaborators more confident and less likely to doubt the origin of the message received. Once in the role of the CEO or a director and after putting their victim at ease, the scammers will try to steal money and/or confidential data.
An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.
When the demand stated in a message deals with unusual transfers, high amounts of money, unusual reasons to explain the need to receive the money or exceptional circumstances, it is probably a scam.
The CEO Fraud is becoming easier as homeworking is the new norm. Cybercriminals take advantage of isolated collaborator as it is easier to convince them to execute a payment. However, homeworking can be secured by implementing several best practices, such as enforcing strong passwords and Multi-Factor Authentication for all remote access. Multi-Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
In addition, the organisation should establish guidelines and rules for homeworking so its collaborators adopt the right behaviours, e.g., locking the workstation when leaving it or not leaving any passwords written and accessible.
Finally, the organisation should put security controls in place, such as encrypting all traffic from/to remote worker, enforcing antivirus and local firewall on devices allowed to connect remotely, updating all devices and software as soon as possible, regularly backing up the critical resources and securing the workstations by controlling what can be accessed remotely.
No matter who is requesting information, collaborators should be aware of the policies in place regarding data classification, information transfer and sharing and acceptable use of information. In addition, having an approval process for wire transfers lowers the chances of falling for this type of scam as someone along the process will always realise that the request is illegitimate and that nothing should be transferred. Finally, a process to verify the identity of the sender should also be in place by, for example, checking their name or bank account against an existing internal inventory or trying to contact them through another mean. Any changes requested to this existing inventory should be approved hierarchically.
Social media and an organisation’s website offer an important customer reach. However, it is not possible to always fully control the audience that has access to the information and posts shared. Personal or confidential information shouldn’t be shared on those platforms, as they could be used for malicious purposes, such as identifying which collaborators work in the finance department and would be more likely to be able to make an urgent transfer to their CEO.
Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
Always report scams that happened via mail to your IT Responsible and to the relevant national authority (suspicious@safeonweb.be (EN); suspect@safeonweb.be (FR); verdacht@safeonweb.be (NL/DE)) and immediately delete it.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.