An as yet unidentified company has fallen victim to nearly $100 million in CEO email fraud, where the bad guys did research on employees that hold the purse strings on deals with suppliers or regularly perform wire transfers. The heist started with a successful phishing attack — employees were social engineered by spoofed emails that claimed to be one of its legitimate vendors. According to officials, nearly $74 million has been recovered and returned to the American company. The remaining $25 million was laundered through other accounts in locations including Cyprus, Latvia, Hungary, Estonia, Lithuania, Slovakia, and Hong Kong.
Since January 2016, there has been a massive rise in CEO fraud. The FBI calls it “BEC” (Business Email Compromise), and like spear phishing, it uses social engineering and spoofed CEO emails to manipulate senior executives, HR and Accounting into damaging actions. The FBI said in an alert issued to companies last week that businesses had suffered $2.3 billion globally in losses from CEO email fraud from October 2013 to February of this year and has instructed people to verify transactions by “picking up the phone”.
CEOs tend to be a weak link in the cybersecurity chain. Kevin Townsend at SecurityWeek suggested two major reasons for this: “firstly, very few companies deliver security awareness training (such as simulated phishing attacks) against their own C-suite; and secondly, many senior executives still don’t believe that security is their personal concern.”
Incidents like this show that you really cannot afford not to run phishing training and tests on your employees and C-level executives — all users must be trained. Sending frequent simulated phishing attacks to your users is a great way to keep them on their toes with security top of mind. Find out how affordable our phishing program is and be pleasantly surprised. Contact ACE IT Solutions at 646.558.6358 for pricing and details.