Preventing CEO Impersonation Phishing Scams

Phishing scams are hardly a new concept. In fact, the first phishing attacks date back nearly 30 years to the mid-1990s. But despite the tactic’s age, it remains incredibly popular among cybercriminals for one important reason: It works. Human beings are just as fallible today as they were in the ’90s, and attackers have had three decades to refine their methods and perfect their approach. Unfortunately, even those who consider themselves relatively internet-savvy still fall for phishing scams. One of the most popular phishing tactics is CEO impersonation, where an attacker pretends to be the CEO (or another senior leader) of an organization to obtain network access, data, personal information, money or other resources. It’s a notoriously successful approach, and one that every organization should be aware of—and prepared to counteract. Addressing the issue of CEO impersonation scams requires more than just learning to recognize the signs. It demands a multi-pronged approach that combines education with a robust verification process and, in some cases, a shift in company culture.

Why Do People Fall for CEO Impersonation Scams?

Whether it’s a phishing attempt via email or a SMShing attempt via text, the message asks the recipient to accomplish a specific task that’s deemed important or time-sensitive. The task might depend on the person being targeted—today’s attackers tend to do their homework. If targeting an accountant or other finance team member, it might ask them to approve a purchase order or provide a company credit card number. If the target is an HR team member, it might ask for personal information on new hires under the guise of welcoming them to the company. Gift card scams remain common as well, and asking an employee to pick up a few hundred dollars worth of gift cards “for a team happy hour” might not even sound suspicious. And you might be surprised how often simply including the words “this is urgent” can compel people to act, even against their better judgment.

While anyone at any level of an organization can fall for a phishing scam, CEO impersonation scams are often most effective when targeting low-level employees, or even new hires. This is particularly concerning amid the unusually high job turnover of the ‘Great Reshuffle,’ with 44% of workers classifying themselves as ‘job seekers.’ Professional social media networks like LinkedIn have made it easy to see when individuals change jobs, making them potential targets.

This makes sense—new hires might not know the CEO well enough to identify an abnormal request and might not feel empowered to ask for clarification before carrying it out. New employees who just want to show that they’re team players are susceptible to these scams simply because they don’t want to make waves in their first month on the job. Worse still, a new employee who falls victim to a CEO impersonation scam has added incentive to cover it up. No one wants to appear gullible or foolish to a new employer, which means some may choose to simply eat the cost of their mistake rather than admit that they were conned. Unfortunately, this can have repercussions.

Recognizing—and Stopping—CEO Impersonation

The pandemic made it more difficult to stop phishing scams—after all, remote work means an employee can’t just walk down the hall to ask the sender of an email whether it’s legitimate. And because texting has become commonplace, even scams targeting employees via phone don’t always raise suspicions. So, what can organizations do to help employees recognize the signs of CEO impersonation scams and avoid falling victim to them?

Education is important, and that means taking the time to teach employees how to identify the most common signs of phishing. But education alone can’t solve the problem—eventually, someone will inevitably click the wrong link. When that happens, it’s critical to have a game plan. Maybe you work for an organization where the CEO has a habit of reaching out directly to employees. A friendly and transparent CEO is a good thing, but there needs to be a protocol in place to authenticate any communications that ask the recipient to take specific actions. Before pulling the trigger, the employee needs to know whether the CEO was the actual sender.

One of the most effective ways to do this is to set up a system that employees can use to validate suspicious emails or text messages. This has multiple benefits: First, it allows the IT team to let the employee know whether the message is legitimate and advise them accordingly. But of equal importance is the fact that it can help IT and security team members identify trends. If multiple employees report receiving similar fraudulent messages, the security team can issue an alert to the whole company, and provide them with specific information regarding what to look out for. As it stands, recent research shows that just 12% of the employees who had their credentials stolen via a phishing attack had forwarded the email to analysts for further review. While today’s technology is getting better at identifying phishing attacks before they reach employees, relaying suspicious messages to IT or security personnel can still provide helpful data.

Encouraging employees to adopt a “see something, say something” approach can also help foster a culture of support rather than blame. Employees often avoid admitting when they’ve fallen victim to a scam because they don’t want to be blamed for the consequences. But the faster an employee admits the mistake, the faster security teams can contain the damage. Encouraging employees to own up to their mistakes and assuring them that they’ll be thanked rather than punished is one of the most important—and effective—ways to limit the potential damage of CEO impersonation attacks and other phishing schemes.

Always Plan for the Worst

Phishing attacks have been around for decades for one simple reason: Human beings make mistakes. It’s something that isn’t likely to change anytime soon. CEO impersonation attacks exploit that fallibility by adding a dash of authority, a sprinkle of urgency, and a heaping helping of deception. But today’s organizations don’t need to accept the inevitability of these attacks. By building a culture of support and providing employees with the education and resources they need to recognize potential scams and verify the authenticity of communications, organizations can avoid falling prey to one of today’s most common—and costly—scams.

Avatar photo

Greg Notch

Greg Notch is the Chief Information Security Officer (CISO) at Expel. As CISO (pronunciations may vary), he is responsible for ensuring the security of our systems, as well as keeping customers educated on the threat landscape and latest techniques for mitigating risk in their environments. He's been doing the security and tech thing for over 20 years - helping companies large and small through all three dot-com booms to build high-performing engineering teams, and improve their technology, process, and security. Before Expel, Greg spent 15 years as the CISO and Senior Vice President of Technology at the National Hockey League (NHL), where he led their information security program. He also led the league's technology strategy, digital transformation, and cloud initiatives. Prior to the NHL, Greg worked on infrastructure, security, and software systems for Apple, Yahoo Search, eMusic, and several other NYC based tech startups.

greg-notch has 1 posts and counting.See all posts by greg-notch

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)