The fake CEO cyber attack is one of the most frequent cybersecurity issues of the lask months, but how can you reduce the risk?
What is the fake CEO cyber attack?
In a fake CEO cyber attack fraudsters usually get into the email account of a high ranked employee of the company through which they send a communication to an officer that is usually located quite far from the headquarter, convincing him to wire transfer a large amount of money for a very urgent and confidential transaction.
The attack can entail a data breach when fraudsters get into the email account of the victim, but can be performed also by means of a spoofed email that appears from the CEO of the company, as happened in the case of Tecnimont where the head of local Indian subsidiary was convinced by means of a spoofed email from Italian global CEO to urgently transfer $ 18.6 million to a bank account in Hong Kong.
The key element of the attack is the psychological component which is based on the urgency and confidentiality of the matter. But such attacks are very well structured and usually fraudsters have a deep knowledge of the victim, of its organization, of the movements of the real CEO (who is usually unreachable at the time when the wire transfer has to be performed) and even have conference calls with the victim to convince him/her.
How can you be ready to handle a fake CEO cybersecurity breach?
It is necessary to mention that hackers are usually ahead of their victims and are becoming very well organized. But during the seminar, Ms. Vintiadis referred to the “onion principle” of security. This principle is based on the rationale that it is necessary to create several layers of protection to limit a cybersecurity risk in order to create more barriers that hackers need to overcome.
Such barriers are not just technical. Cybersecurity is not only a technical issue, but is also an organizational issue. And indeed in the fake CEO cyber attack scenario sometimes there is a joint liability of banks that authorize wire transfers without the approval of the all the signatories or the internal organization of the company is not well structured and large wire transfers can be approved by a single individual.
There are scenarios where there are either no cybersecurity procedures or there are such procedures, but the victim is empowered to by-pass them. On the contrary, in order to limit cybersecurity risks, it is necessary to
- review the internal governance and create organizational roles so that the activity of any individual (including the CEO) needs to be monitored to and reported to at least another individual or requires the approval of such other individual. A considerable support to such activity can be given by the internal privacy compliance structure to be created to ensure GDPR compliance (You can read my article on the topic here);
- implement procedures with monitoring and reporting roles that are actually observed by the company and cannot by-passed or tolerated;
- adopt security measures to minimize risks e.g. in order to minimize the risk of access to email accounts, it could be created an random password to be generated by means of a token;
- perform a training on such procedures to create awareness and to test the understanding of employees of the procedure, also by means of mockups; and
- have a plan to react to the fake CEO cyber attack for instance being able to reach out the managers of the banks involved.
These are only some of the measures that can be adopted to minimize cyber risk. But unfortunately at the moment the risk is not assessed by the top management, but by the IT team of the company, while – given the size of the potential risk – the board shall be involved in the decisions on the topic and take ownership of the matter.
What is your view on the topic? Do you have other recommendations on how to react to a fake CEO cyber attack. You can find interesting on the topic “Top 3 lessons learnt on how to be ready for handle a data breach“.