Social engineering applied to cybersecurity is a valuable tool for cyber attackers who can creatively and effectively deceive their victims. Curiosity, fear, shame and guilt are some of the human characteristics exploited by cyber attackers to deceive and extort their victims. One current example is the so-called CEO fraud attack. This happens when an employee authorised to make payments is tricked into paying a fake invoice or making an unauthorised bank transfer from the company account. In other words, the cyber attacker calls or sends an email posing as a high-level figure within the company (e.g. CEO or CFO), usually demanding an urgent payment or a change of bank details.
Cyber attacks are becoming increasingly sophisticated, and in the case of CEO fraud attacks, cyber attackers are managing to look more realistic. It is therefore crucial for organisations and those within them to know how to prevent a CEO fraud attack and, more importantly, to know the best cybersecurity practices in a real attack situation.
In our "Real Cases of Cyberattacks" section, we shared a real CEO fraud attack that targeted the Portuguese Ministry of Education due to a computer scam. The cyber attacker posed as an official from the service provider company and requested that the payment IBAN be changed, leading to three bank transfers to a fraudulent IBAN. The Portuguese Ministry of Education managed to report the incident and recover around 2.5 million euros.
CEO fraud attacks have a significant impact on organisations and their employees and everyone must be better prepared for situations like this. Read here the practices that we consider fundamental and that could have been adopted by the Portuguese Ministry of Education to avoid this type of situation.