7 Ways To Block And Mitigate Fake CEO Email Scams

Dane Meah
September 2, 2016


Not a week goes by without another large Australian business having some kind of email fraud event reported in the media. The FBI has received around 18,000 reports of email fraud from businesses since 2013, with losses of $2.3 billion. Incidents tripled in 2015 against the year before.

CEO wire transfer scams occur when emails are received – purportedly from a senior executive – asking employees to transfer funds or critical information outside the business. Australian C-level executives are subject to as many as four or five wire transfer scam attempts every week. “Wire Transfer Scams”, “Business Email Compromise” (BEC) – call them what you want. What can organisations do to protect their funds and assets?

There are many types of email fraud, but one of the most popular is the CEO wire transfer scam. That’s when an attacker sends an email supposedly from your CEO or CFO asking you to do something like transfer company funds to an external account.

In the past month, Infotrust has received contact from six organisations who have been defrauded and seeking support to block and mitigate these attacks moving forward. In one case, the company transferred a little over $1million via 4 bank transfers. As soon as the company realised it was fraud, the bank was contacted and thankfully two of the transfers were reversible.

Unfortunately the organisation still lost over $500,000 to fraudsters.

Interestingly, this organisation was not a large multi-national, had fewer than two hundred IT users and until now had believed they were not a target. Whether your organisation is large or small, Cyber Attackers do not discriminate!

Earlier in the year a high-ranking financial employee of a large toy manufacturer sent $3.9 million to Chinese hackers pretending to be the newly-appointed CEO.

It’s no surprise we had such a strong response to our Email Fraud Breakfasts held Melbourne and Sydney this week. It’s clear that businesses are seeking to mitigate the impact of Email Fraud and it was a pleasure speaking with so many IT leaders seeking to take action to address this issue.

At the breakfasts we explored the ins and outs of securing the entire email ecosystem, exchanging experiences and sharing some of the latest techniques and controls for preventing email fraud.

But even before you engage with the technology, there are some basic people and process measures you can take to reduce your exposure to CEO wire scams.

Security Awareness must be a number one priority for all your people. They must be aware of the prominent threats and be able to identify common traits of fraudulent emails. A regular cyber security bulletin, role specific integrated training, alongside simulated phishing exercise targeted at your email users are good ways to increase security awareness.

Role specific training should include security awareness across email, working safely on the internet, on social sites, data privacy and working remotely, to name a few. Such training can easily be integrated into Learning Management Systems with automatic enrollment and post completion assessments.


You also need strong Security Processes that are adhered to. A robust approvals process will always have string validation, internal documentation and multiple validation methods. String validation means no business-critical financial or information transaction can occur without a minimum of three people involved.

Some recent examples of CEO to CFO email fraud highlight the weakness of a two-string approval process where such approval can be granted via email.

Internal documentation ensures transparency and that everyone involved understands and can comply with the process. Multiple validation methods ensure that a fraudulent transaction cannot be initiated, processed and completed via email alone. There may be a validation step built into the finance system, or something as simple as a confirmation via a non-email internal communication platform.

Procurement processes are also highly vulnerable to email fraud. This is an email fraud hot spot because there are so many points of egress to introduce malware in conjunction with an email fraud attack. The more complex the procurement and the greater the number of moving parts, the greater the threat.

Embedding cyber security into the testing, manufacturing, delivery, installation, and support phases of the product life cycle will dramatically reduce cyber security risk.

So now you’ve established robust policies and processes and locked in behavioral change and compliance – even with the CEO. You still need a strong cyber security architecture and controls.

The hope of impenetrable Gateway Security is not realistic – effective security requires a holistic approach as well as the ability to respond quickly when an incident does occur. There is a plethora of technical controls available, but based on our analysis of the situations in which the abovementioned clients found themselves, we have identified seven key technical controls that should be considered:

  1. Ensure your Security environment is configured per best practice. This sounds simple, but too often do we come across customer environments that have key security functionality turned off.
  2. Make sure you have two-factor authentication for all remotely accessible systems, cloud applications and privilege (admin) access accounts. Remote access systems include Citrix, Remote Desktop gateways, Outlook Web Access or VPN. Commonly we see one or more being ‘forgotten’ – leaving a backdoor for attackers to exploit.
  3. Implement an Inbound Spoofed Sender detection using email authentication protocols Sender Policy Framework (SPF)/DomainKeys Identified Mail (DKIM)/Domain Message Authentication Reporting and Conformance (DMARC). These protocol will block inbound emails that fail authentication on their approved IP senders.
  4. Identify your high value targets, then implement a mail flow rule that blocks display name spoof attempts (we have helped many clients with this rule – contact us for assistance).
  5. Review User Permissions and access rights. Does the CEO really require full admin access? Limiting access for all staff as much as possible goes a long way towards limiting the impact of a cyber attack.
  6. Protect your own domain from spoofing. Implementing SPF and DKIM will prevent unauthorized use of your own domain (including directed at you), however, done poorly can result in non-delivery of good email that you send. We recommend doing this in conjunction with DMARC in “fail open” first to get visibility on who is sending for your domains.
  7. Advanced Threat Detection (ATP) and correlation. Sophisticated attacks can often bypass traditional mail filters, so ATP with physical and virtual execution sandboxing are great ways to protect against these.

Remember, there are many kinds of email fraud attacks with new approaches emerging every day. The price of cyber-security freedom is, as they say, eternal vigilance.

Our team can perform an audit and identify any gaps that could exist in your security architecture.

Good luck and don’t hesitate to reach out for one-on-one consultation with our team for further assistance.