21.03.2023 - In CEO fraud attempts, attackers gather data from public sources in advance. They usually use company websites that list their employees and their functions. However, data on social media platforms can also be used for such fraud attempts, as shown by a case reported to the NCSC last week that targeted a company's HR department.
In CEO fraud, the attackers put pressure on the finance managers of a company by posing as the CEO and urging the victim to make a supposedly urgent payment. These fraud attempts are typically characterised by the claim that it is not possible to question the request because the CEO is in an urgent meeting or there is another reason why they cannot answer the phone. The attackers obtain the necessary information in advance from public sources. The necessary data, such as the CEO's name or email address, or the name or email address of the finance manager, can be found on many company websites. This information, which is good for customer proximity, can unfortunately also be misused by fraudsters to commit CEO fraud.
In addition to the classic variant described above, sub-variants have likewise been observed for some time now. One of these variants, also called the HR variant, targets HR managers. Here, too, the fraudsters partly use data from the company website. However, in these cases, data from social media platforms increasingly plays a more significant role, as a case reported to the NCSC last week demonstrated.
CEO fraudsters target HR
In the HR variant, an email is sent to the HR department by a purported employee requesting that their next salary payment be made to a different account. For this scam, the attacker must know the HR manager's name and email address, as well as an employee's name. In the current case, however, these details were not visible on the website, which led to the initial suspicion that the attackers could have obtained the data from a hacking attempt against the company or against the employee. However, an extended search revealed that the fraudsters had gathered the data from social media channels in advance. Platforms such as Xing or LinkedIn aim to connect professional contacts, and job titles are a central part of this. As a result, the name and function of the company's HR manager was also visible on Xing in the current case.
In addition, other employees of the company are listed on Xing with their first and last names, job titles and direct links. The attackers focus on the employees with the highest salaries.
On another social media platform, the email address of the HR department is also listed. However, this address needs to be published, as it is usually used to submit job applications as well.
The fraudsters then use this information to try to convince the HR department by email to pay the salary to another account. Fortunately, the attackers usually only have one attempt, as employees notice very quickly that their salary has not been paid at the end of the month. The fraud is noticed at the latest at this point. The proceeds from this type of fraud are therefore likely to be rather low.
Ban the use of social media?
At a time when social media is playing an increasingly important role, prohibiting employees from using such channels is clearly not a solution. Nevertheless, every company should also set guidelines on what information employees are allowed to disclose on social media channels and what not.
It is clear that the availability of such information will also lead to increased fraud. It is therefore particularly important to raise awareness of such fraud variants among all company employees who can initiate payments. HR departments should also be informed accordingly. Changes to salary bank accounts should only be made through verifiable channels or after personal consultation with the employees.
Recommendations:
- Raise all employees' awareness of CEO fraud! Especially employees in finance divisions, in HR departments and in key positions must be informed about these possible methods of attack. In the case of associations, all presiding members and treasurers must receive training.
- Define a process which can be used to amend bank account details, even urgently. Typically, this should be done through a second channel (e.g. by phone).
- Define guidelines on what information employees are allowed to disclose about the company.
Current statistics
Last week's reports by category:
Last modification 21.03.2023
