Overview
In recent incidents, company employees are being targeted on WhatsApp by an unknown contact posing as eg the CEO. We have ourselves faced this issue however thanks to our robust security measures, none of the employees contacted fell victim to this fraudulent attempt. Immediate reporting to the team and blocking the unknown number showcased our collective vigilance.
Nevertheless, recognizing the evolving nature of cyber threats, our security team has crafted essential guidelines for all employees. These guidelines are not only crucial at a professional level but also serve to safeguard you personally, preventing potential threats and frauds. Your commitment to following these guidelines reinforces our collective security posture.
CEO fraud, also known as Business Email Compromise (BEC) or CEO impersonation, is a type of online scam where cybercriminals target organizations by posing as high-ranking executives, often the CEO, to trick employees into transferring funds, sharing sensitive information, or performing other fraudulent actions. This sophisticated form of phishing exploits the trust and authority associated with top-level executives. Here’s an overview of CEO fraud:
How CEO Fraud Works:
Gathering of company info via social engineering:
- The scammer leverages information gathered from public sources, social media, or previous data breaches to personalize the message.
- They may use specific details about the company, executives, or ongoing projects to make the email more convincing.
Impersonation
- The attacker makes calls, sends emails, whatsapp messages to employees, suppliers, or other stakeholders, impersonating the CEO or executive.
- The message often has a sense of urgency, demanding immediate action or secrecy.
Email Spoofing:
- Cybercriminals use various techniques to spoof or mimic the email address of a CEO or other top executives. They may create a domain name similar to the company’s, making it appear authentic at a quick glance. Eg company.com domain may be spoofed to company.co
Request for Funds or Sensitive Information:
- The fraudulent email typically requests the recipient to transfer funds, make a payment, or share sensitive information, such as employee payroll details.
Manipulation of Employees:
- The scam relies on manipulating employees who may not question the legitimacy of the email due to the apparent authority of the sender.
Urgency and Secrecy:
- CEO fraud emails often create a sense of urgency, emphasizing the need for immediate action.
- Requests are framed as confidential, discouraging employees from verifying the information with others.
Other types of common scams/frauds
Phishing Scams:
- Users receive messages containing links that lead to fake websites designed to steal personal information, such as login credentials or financial details.
Fake Prize or Gift Scams:
- Messages claiming that the recipient has won a prize, gift, or lottery and asking them to provide personal information or pay fees to claim the supposed reward.
Job Offer Scams:
- Unsolicited messages offering lucrative job opportunities, often requiring upfront payment for training or materials.
Tech Support Scams:
- Users receive messages or calls claiming to be from tech support, warning of a security issue and requesting remote access to the device or payment for supposed services.
Investment Scams:
- Messages promoting fake investment opportunities with promises of high returns, aiming to trick users into sending money or personal information.
Loan Scams:
- Messages offering easy loans with minimal documentation but requiring upfront fees or personal details as part of the application process.
Romance Scams:
- Scammers create fake profiles, establish online relationships, and later request money for various reasons, exploiting the victim’s emotions.
Impersonation Scams:
- Scammers pose as friends, family members, or colleagues, claiming to be in urgent need of financial assistance.
Fake Apps and Updates:
- Users are tricked into downloading fake apps or updating existing ones, leading to the installation of malware or the theft of sensitive information.
Identity Theft Scams:
- Messages requesting verification codes or personal information under the guise of security measures, leading to identity theft.
Travel Scams:
- Scammers offer discounted travel packages or accommodations, convincing users to make upfront payments for services that don’t exist.
Fake Surveys and Contests:
- Messages inviting users to participate in surveys or contests, often requiring personal information or payment to claim a prize.
Loan Application Scams:
- Messages claiming to offer quick loan approvals, requiring users to share personal and financial details as part of the application process.
Fake Charity Scams:
- Users receive messages soliciting donations for fake charities, taking advantage of their generosity for personal gain.
Credit card scam:
- You may receive calls from people claiming to be from some bank offering you a free credit card. Ideally check if you first have an account with a bank. Secondly, you wont get marketing calls from normal mobile numbers, if you got one then most likely its a spam.
UPI Scam:
- A person sends you money and calls saying he sent the money to you wrongly. He will then say he will initiate a refund and may ask you to accept incoming UPI requests, or share OTP etc.
Government Grant Scams:
- Scammers impersonate government officials, claiming that the user is eligible for a grant but needs to pay a fee to process the application
Preventive Measures Against CEO Fraud:
Thoughtful Decision-Making:
- Never rush decisions involving money transfers or sharing sensitive information. Take the time to reevaluate and ensure the legitimacy of the request.
Email Address Verification:
- Always verify email addresses before responding. Scammers may use similar addresses to mimic the company domain, so check for authenticity.
Browser Security:
- Avoid clicking on links from unknown sources. Implement app locks on browsers to prevent accidental clicks on suspicious links, ensuring they wait for your authorization before loading.
Confidentiality of Mobile Numbers:
- Do not share mobile numbers of colleagues or top management to prevent unauthorized communication.
Client/Supplier etc work related contact
- If an unknown contact claims to be a client or supplier or work related seeking system access or information about the company, politely request them to send an email to the official contact us email id. Limit the dispensing of restricted information until verification.
Emergency Support Communication:
- For projects requiring emergency support, create a group with the verified contact information. Advise clients/staff/suppliers to communicate only within the group for genuine emergency support requests.
Caution with Unknown WhatsApp Calls:
- Exercise caution when answering WhatsApp calls from unknown numbers. Verify the country code, call type (video or audio), and disconnect if suspicious. Report and block any unfamiliar numbers.
Emergency Situations Handling Protocol:
- In emergency situations, clients should initiate communication via email, followed by contact with Jonny if there is no team response. Jonny can then relay information to the team through WhatsApp.
Key Contact Numbers:
- Save key contact numbers of colleagues and clients on your mobile. In case of communication from an unknown number claiming to be a team member, immediately verify in the company group before sharing any information.
Financial Caution:
- Never hastily send money to unknown numbers, especially those claiming to be relatives of friends, office colleagues, or superiors.
Multi-Factor Authentication (MFA):
- Implement MFA for all significant professional and personal accounts to add an extra layer of security.
Secure Communication Channels:
- Encourage the use of secure communication channels for discussions involving sensitive matters.
Identity Verification Importance:
- Emphasize the significance of verifying identity in any communication related to financial transactions.