Data tokens on this page

ID Your CEO: Business Email Compromise

ID Your CEO: Business Email Compromise

Keep a close eye on those messages from major company officials. Business email compromise is an emerging trend in cyber scams where a hacker will impersonate CEOs, company presidents, and other high-level executives to obtain information related to real estate transactions, company buyers, sellers, agents, and lawyers. They’ll use this information to wire payments to false accounts from a company's financial department or unsuspecting employees. Employees may feel urgency in replying to an executive and overlook inconsistencies or suspicious mistakes that often appear in these messages. It’s important that businesses take proper steps to protect all employees and secure confidential company information. 

How Sneaky Are Hackers? Pretty Sneaky.

  • Through social engineering, criminals may gain direct access to an executive's email and then include other sensitive stolen information to make the request seem more credible. 
  • After an initial request, hackers will craft follow-up emails indicating the sender is in a meeting or cannot be disturbed, removing opportunities for further questioning or second approvals.
  • Criminals will often send requests attached with an invoice containing malware. Once opened, this creates a backdoor for further attacks on the company's internal network.
  • In an attempt to avoid suspicion, hackers will blend their emails in with other requests, making the request more reasonable to the recipient.
  • With many executives working remotely, hackers will replace corporate signatures with text indicating the message was sent from a mobile device to confuse the recipient.

HOW DO YOU PROTECT YOUR COMPANY INFORMATION?

It’s simple. If something feels suspicious, it probably is. If you’re questioning the validity of an email message, pick up the phone, call the person and ask. Lean on your manager, tech department, or information security team to verify questionable emails. It’s better to take the time to ensure an email is legit, then to jump on a request too quick and find out later you’ve compromised sensitive company information.