Establish codes
Clear policies and procedures are necessary for employees to use in order to confirm a request that seems unusual or perhaps sets off pre-determined policy alarms are triggered, experts agree. However, for these policies and procedures to be effective, it is essential that the senior executives who might be spoofed in the malicious emails — the CEO, president, CFO or other senior executives — agree to respond if an employee is doing their due diligence and requesting that the executive confirm a request made by email or text message, says Joseph Blankenship, principal analyst, at Cambridge, Mass-based Forrester Research. Companies must foster a work environment where no worker will be criticized, hassled or challenged when they inquire about such messages.
“People are often scared to challenge the CEO” by making such direct inquiries, which is what the cybercriminals hope will occur, he says.
One way to battle attackers is to establish clear and concise code words or phrases that can be used by the real CEO or other senior executive to authenticate his or her identity in an emergency. If the established code words are not known and repeated exactly by the attackers, then the employee can have a strong indication the email request is fake and they can reject it without concern about being fired for not following orders, says Christian Christiansen, an IT security analyst with Hurwitz & Associates of Needham, Mass.
“It seems like CEO fraud is just the phishing attack that keeps on taking via wire fraud,” says Christiansen. “There are many solutions, even some that are tech-free, but people seem to mistakenly continue trusting email.”
That is where using secret codes, such as a few words in a pattern or specific statements about any topics that are known only to the real CEO and their employees, can be particularly effective to authenticate an email sender, he says. Also important is creating and maintaining financial transaction procedures that say that no wire transfers can be initiated solely by one person, regardless of who that single individual is. Instead, controls should be added so that all such transfers require a second or third person to authorize them over a certain amount, or if the money is being sent outside the United States, says Christiansen.
Similar controls should also be placed on corporate credit cards to prevent employees from having to be placed in these situations where they must make judgment calls during such attacks, he says.
Today’s attacks feature the same hallmarks as revious incidents, with the attackers conducting a wide range of basic research on the CEO using internet searches, often revealing travel plans, hobbies, favorite sports teams and other information the attackers use to try to bluff company employees and get them to think they are the person they are pretending to be. While companies strive to provide transparency about their organizations, attackers use this data to build more effective attacks.