CEO fraud is a tried-and-tested criminal technique for one very obvious reason: it works. Also known as Business Email Compromise (BEC), this scam involves spoofing or impersonating a senior member of staff and tricking victims into handing over passwords or transferring money into a shady bank account.
The rise of home working has opened a vast number of opportunities for hackers to strike at lone targets sitting in their home office and a long way away from an IT Support desk. Hackers can afford to be patient because they only need to persuade one person to hand over a password to extend their attack. This means the bad guys are able to play a long game, slowly but surely building up their understanding of a target organisation in order to refine their social engineering campaigns. Over time, they ruthlessly hone BEC emails until it is only a matter of time before someone falls for them.
Identity-as-a-Service (IDaas) and its core services, most notably multi-factor authentication (MFA), offer organisations a powerful tool in the fight against CEO scammers. To help you understand CEO fraud and how IDaaS and MFA can tackle it, we’ve picked out some of the trends of 2021 and made some predictions about 2022.
CEO Fraud Is Not Going Away
Business Email Compromise (BEC) exploits were the second most common form of Social Engineering attack in 2021, Verizon reported in its annual Data Breach Report. The number of attacks using misrepresentation was 15 times higher in 2021 than during the previous year, with 58% of BEC attacks resulting in money being stolen. These attacks resulted in a median loss of $30,000, with 95% of BECs costing between $250 and $984,855.
“We’ve definitely seen a jump in Social Engineering breaches as a pattern from last year with an overall upward trend since 2017,” Verizon wrote. “For the past couple of years, it appears to be correlated to an uptick in the compromise of cloud-based mail servers. What we cannot say is why email is so enticing to threat actors.
“Maybe it’s for the email addresses themselves. Maybe it’s for the internal information they contain. Maybe it’s for the creds, personal, and other monetizable information. Or it could simply be that they want to repurpose the server to send more malicious emails out.”
A separate survey found that 71% of companies suffered BEC attacks in the past year, showing just how prevalent this form of exploit has become in the age of remote working and cloud-based email.
CEO Fraud Is Not Just For Bosses
The classic BEC scam involves a criminal writing to an employee and claiming to be a senior member of staff in the hope of persuading their victim to hand over credentials or transfer money into their account.
But research in 2021 showed that bad guys have become more egalitarian in their exploits, spoofing lower-ranking members of staff by copying personal information they post on social media.
“From our observations, BEC attacks don’t only target high-profile users but also any employee that can be found on social media networks with significant personal information published (such as LinkedIn),” Trend Micro’s threat researchers warned. “These pieces of information can be used to spoof employees and partners, and cause significant financial damage to businesses.
“Compared to campaigns from previous years in which BEC actors mostly impersonated executives or ranking management personnel, we observed a specific BEC campaign type spoofing general employees’ display names. We noticed a sudden upshot of dangerous emails impersonating and targeting ordinary employees for money transfers, bank payroll account changes, or various company-related information.”
MFA in the USA
In May 2021, President Biden ordered all agencies to adopt multi-factor authentication within 180 days and called upon the Federal Government to “adopt security best practices” and “advance toward Zero Trust Architecture”.
Zero Trust is the philosophy that famously urges organisations to forget about the old mantra of “connect, then authenticate” and instead make sure authentication happens long before users get anywhere near the network.
The President’s Executive Order is important because it is a tacit confirmation that MFA is no longer optional, but a must-have part of organisations’ security posture.
The Rise of Passwordless Security
The password is no longer enough to protect organisations in an era when identity is the new perimeter and the old perimeter is long gone.
Forrester surveyed security decision-makers in 2021 and found that 52% said their company has already implemented 2FA or passwordless authentication for employees, whilst 31% were in the process of implementing one of these technologies or had plans to roll them out.
However, getting rid of passwords is only one step along the journey.
Forrester warned: “Passwordless still must support an overall MFA strategy with a means for risk-based, step-up authentication. You must also take into account the need to secure access to apps built to support only passwords.”
The analyst house also found that identity and access management (IAM) budgets “caught fire” due to remote work and evolving threats created by cloud migration.
“Those that had been slow to move to the cloud needed, at a minimum, to get two-factor authentication (2FA) in place, simultaneously fast-tracking plans for identity as a service (IDaaS) and multifactor authentication,” it wrote.
In 2020, Two-thirds of security decision-makers told Forrester their IAM budget would increase in 2021.
Predictions
CEO Fraud Will Become More Sophisticated
Unfortunately, we haven’t seen the back of BEC. In the coming years, it will become ever more sophisticated, with attackers leveraging more open-source intelligence to make their scams more convincing and effective.
We’ve already seen criminals change and adapt the emails they use to carry out CEO fraud, shifting malicious links from the body of the email into attachments or placing files in cloud storage so they are not auto-previewed. These tricks make it harder for email filters to block them.
To tackle the threat of CEO Fraud in 2021, organisations should use multi-layered email security in conjunction with web and cloud security to protect against multi-channel attacks which start in the inbox but end in cloud apps or malicious websites.
Context Will Be King
We know that identity is the new perimeter. But context is also part of this new reality.
The password will continue to die in 2022, opening up space for MFA. Yet alongside the demise of memorable phrases will come the rise of context. When a user or entity attempts to log onto the network, their behaviour should be compared against what is considered “normal”.
Data points to look at could include location, time of logon, device health or geo-location – the time taken to travel between two points. If the user is behaving strangely or unexpectedly, they should be queried and locked out if necessary.
Systems that can identify unusual or anomalous behaviour will become increasingly important as the security industry moves its focus towards context.
Zero Trust Will Continue to Dominate
You can’t trust anyone these days – and everyone knows it. In the coming year, we’ll see Zero Trust cements its place at the heart of the security sector.
The days of gaining remote access by logging into a network through a VPN are long gone. As is the concept of performing authentication and other security routines inside a data centre.
Remote working is here to stay, which means Zero Trust will become an orthodoxy that we all should abide by.
Don’t trust that email – how Censornet can help you combat CEO Fraud