Fake CEO emails dupe companies out of billions
- Employees are still falling for fake emails that are supposedly from their CEOs, reports MLive Media Group. This relatively new form of phishing makes emails look as though they’re from C-suite members and ask employees to wire money to designated recipients.
- Unsuspecting employees regularly interact with the type of recipients in the emails, often foreign suppliers from China, so they have no reason to think they’ve been scammed. Hackers get paid if the scam succeeds, and the money is seldom recovered.
- CEO fraud attacks cost organizations $5.3 billion in the past three years, according to Cisco’s Midyear Cybersecurity Report (MCR) and the Trivalent Group, a Michigan-based tech firm. The damage not only keeps employees from doing their normal tasks, but it also can require organizations to rebuild their internet security systems and replace computers and digital accounts.
The report points out the fast evolution and growing destructive capability of today’s cyber attacks. In the first six months of the year, attackers changed the way they delivered and hid their malware, making it more difficult to detect.
Cisco recommends that employers educate workers about malware so they’re less likely to fall for CEO fraud, update software patches in their systems and collect and analyze data to track the attacks’ sources. HR should step in to direct the training and use a checklist of procedures to follow for creating a cybersecurity policy.
HR departments also are targets for attacks because of the amount of personal employee data they maintain. HR must be especially protective of W-2 forms and tax information, a lucrative target for hackers. HR also must warn employees about keeping their passwords safe.
The report underscores the importance of reducing the time between an attack and its detection to prevent more extensive damage. Employers’ cybersecurity systems must be able to detect and respond quickly to an attack.
An unexpected highlight of the 90-page MCR was how much more lucrative the CEO fraud attack, known to the FBI as business email compromise (BEC), was than ransomware, like the WannaCry attack earlier this year. While still costly for employers, ransomware amounted to only $1 billion in the past three years.
Finally, cybersecurity insurance coverage is limited. If employers don’t patch security breaches in their systems and employees fall for phishing schemes, most insurers won’t cover their losses.