At Living Security, we spend our days developing better and more effective methods of how to train and prepare for cyber attacks. Our team of experts has spent years establishing, managing, and analyzing cybersecurity awareness training programs at a wide variety of public and private organizations. Today, we had to put all that preparation and training into practice as we were targeted by a large-scale phishing campaign.
This morning, perhaps hoping team members were distracted as they got ready for the July 4 holiday, spammers sent an email to roughly 15 of Living Security’s employees claiming to come from our CEO and Co-Founder, Ashley Rose, in a classic case of CEO Fraud.
What is CEO Fraud?
CEO Fraud is a very common type of Business Email Compromise where a scam artist sends an organization’s employees emails appearing to come from the CEO or other high-level executives. These emails are often casual in nature and tone in an attempt to seem familiar and legitimate—they are meant to get the employee to divulge certain information (either personal or corporate). That information is then used in identity theft attempts, fake wire transfer requests, and other illicit methods of stealing money.
Business Email Compromise has become a bigger and bigger problem with the ever-increasing reliance on the internet and email communication. The FBI calculates that over $26 billion was lost by companies due to Business Email Compromise between 2016-2019.
How Can You Help Users Spot—and Stop— CEO Fraud?
First, make sure your team is aware of the latest cybersecurity threats and tactics. Letting users know doesn’t have to be scary or stressful, it can be as simple as a Slack or Teams message that says:
Hi team! Over the last few days, our users and some other companies have been reporting an uptick in fraudulent emails that look as if they’re coming from CEOs. In these cases, the emails have had subject lines such as “EMERGENCY” and “URGENT.”
The email may appear as if it comes from [CEO Name], but if you look closely, the email address won’t match ours. Stay on the lookout for emails like this - please don’t reply to them or forward them to anyone else. If you get a suspicious email, you can always reach out to me or your manager - or the person who might be getting impersonated.
React with the 👀 if you’re keeping your eyes open!
Beyond these on-the-fly messages, ongoing training and assessments are crucial to helping your users stay knowledgeable and feel empowered to spot and report threats. Security awareness training is a critical part of a comprehensive cybersecurity human risk management program. Ongoing training can be gamified and actually fun instead of making users feel like they’re being watched or targeted.
We’re lucky. Our team is well-versed in CEO Fraud and phishing, and knew not to respond to these emails and to report them right away. They kept their eyes open, even on the eve of a big holiday weekend.
This is the very situation that we prepare our customers and their users for every day. Living Security Phish and Training are designed to turn your end users into your best asset for cyber defense. We might have just become our own greatest case study. If you’d like to learn more, contact us.