How to Better Protect Your Company from CEO Impersonation Fraud in the Age of Voice Deepfakes

An energy company in Texas was scammed out of $3.2M when an executive assistant paid a bogus invoice sent by a cybercriminal impersonating the CEO. The criminal had done his research, and he built trust by mentioning details he had learned through Facebook about the CEO’s commitment to his daughter’s soccer game.

In a scam that involved less money but is no less frightening, a cybercriminal conned an executive in the UK into transferring $243K to a fake supplier using AI-generated audio to impersonate the CEO’s voice. It is one of the three reported cases of deepfake voice fraud being used by scammers to trick companies into transferring them money.

This is modern day CEO fraud, also called Business Email Compromise (BEC), and your organization could be vulnerable.

US Businesses Lost $1.2 Billion to Business Email Compromise in 2018

You may think that a scam like this couldn’t happen to your company. After all, your employees are well-trained on the signs of common scams. Your internal networks are closely monitored, and you have a system of checks and balances on larger financial transactions.

And yet, the FBI received more than 20,000 BEC complaints in 2018 from US businesses, reporting losses totaling more than $1.2 billion.

That loss equates to nearly 77 instances of BEC per working day. And, according to reports, losses from BEC scams are expected to increase, in part because these scams require so little technical knowledge, are difficult to detect as they typically originate from a hacked internal email account, and can mean a hefty payout for cybercriminals.

A cybercriminal could snag, on average, $125K for BEC scams that leverage a fake invoice and $50K for BEC scams that impersonate a CEO. In addition to financial loss, cybercrimes like BEC can harm businesses in other ways, including the theft of financial data, intellectual property or employees’ Personal Identifying Information (PII), time and money spent on post-attack response, and damage to the company’s reputation.

Business Email Compromise 101

According to the US Department of Justice, BEC is a sophisticated scam that typically targets employees who have access to company finances, businesses that work with foreign suppliers, or businesses that regularly perform wire transfer payments. BEC is also known as Email Account Compromise (EAC), CEO fraud, or invoice fraud.

Despite what you may think, BEC scams don’t just target large, multinational corporations. In fact, the majority of BEC incidents (73%) reported in 2017 involved domestic transactions, according to the US Treasury.

Some of the more common BEC scam tactics are:

  • An email impersonating the CFO or CEO that requests an immediate wire transfer for a confidential project, often while the executive is traveling or otherwise unavailable
  • A bogus invoice that appears to come from a legitimate supplier but routes the funds to the cybercriminals’ accounts using fraudulent payment details
  • A cybercriminal intercepting legitimate payments and convincing employees to switch the payment details to a fraudulent account

Unfortunately, many experts believe that the problem will only get worse. One cybercriminal ring was discovered with contact information of more than 50,000 financial executives in their database of potential targets.

The Making of a Modern BEC Scam

Modern day BEC isn’t just a random email sent in the hopes that a recipient will click on a malicious link. It is a carefully orchestrated fraud run by international crime groups that rely on hackers, lawyers, and linguists. To understand the whole, it helps to first understand the parts that make up this lucrative scam.

Researching the Target Company - BEC scammers do their homework, and in some cases, they may have gained access to the victim’s network long before the actual BEC attack and may spend weeks or even months studying the company’s structure, billing systems, and vendor relationships. They may also leverage social media to learn about employees’ personal lives and their communication styles.

Hacking or Spoofing Emails - Cybercriminals typically use one of two methods to execute a BEC scam. First, they may hack into a company email account and then use that compromised internal account to impersonate an employee or vendor partner and gain the victim’s trust. Second, instead of hacking into a legitimate email account, the attackers may spoof the identity of an employee or vendor. Spoofing is a method of altering the email header so the message appears to come from a different source.

Choosing the Right Moment - One critical component of a successful BEC scam is choosing when to strike, which may occur late on a Friday afternoon when employees may feel an urgency to finish their work, or when a CEO or executive is traveling or otherwise out of reach. The scammers may use information gained from their research on the company and its employees, such as referencing a personal fact or favorite activity to establish legitimacy, or using a same tone and language used by executive they are impersonating.

Initiating Contact - BEC scammers may start small by initiating a short, casual exchange with the targeted victim to get a better understanding of whether they are likely to comply. The first communication may be as simple as, "Hey, I need a favor" or "Hey, are you at your desk?" Scammers may ask for the victim's phone number to send payment details via text. In some cases, attackers wait and watch until they see an internal email exchange regarding a large financial transaction and then insert themselves into the conversation using fraudulent banking instructions to misdirect payments.

Stressing Urgency and Confidentiality - While it can be difficult to believe that an employee would send a large amount of money without communicating with their colleagues or perhaps even ignoring established policies, remember that cybercriminals often take advantage of the trust of the person they are impersonating to stress a high level of urgency and secrecy in the transaction. For example, an email message from the “CEO” may request an immediate, confidential transfer of funds for what appears to be a legitimate reason, such as an unexpected—and confidential—acquisition.

If the BEC scam is successful, these organized groups of cybercriminals often have established methods of laundering and transferring the money, making it difficult to trace.

It’s also important to remember that BEC scammers aren’t always looking for an immediate payout. They may use the same or similar tactics to obtain employees’ pay stubs, tax statements, or other personally identifiable information (PII) to later commit identity theft or tax fraud. According to the US Department of Justice, investigators discovered that BEC conspirators had stolen 250,000 identities and filed 10,000 fraudulent tax returns in an attempt to receive $91 million in refunds.

How to Better Protect Your Company from BEC Scams

Unfortunately, many of the solutions that companies implement in order to protect their systems against a cyberattack aren’t effective in guarding against a BEC scam. However, there are steps you can take to help better prepare your employees, monitor your systems, and safeguard large financial transactions. Some best practices to consider are:

What to Do If You Believe Your Company Is a BEC Victim

There is positive news, even for victims of BEC. The FBI has established a Recovery Asset Team, which is a subdivision of the FBI’s Internet Crime Complaint Center (IC3) dedicated to helping businesses recover funds lost to BEC. The Recovery Asset Team reportedly recovered 75 percent of lost funds in its first year of operation for a total of $192 million.

The US Department of Justice advises victims of BEC to file a complaint online with the IC3 at bec.ic3.gov. The IC3 staff will review the complaints and refer them to the appropriate law enforcement authorities. The FBI also provides resources relating to BEC through the IC3 at www.ic3.gov.