Skip to content

Protecting Your Company Against Executive Impersonation Fraud

Nov 28, 2019

A company’s employees are generally expected to strive to protect the organization from a cybersecurity breach. Yet, thousands of team members unknowingly allow imposters to infiltrate businesses and steal millions of dollars by falling victim to executive impersonation fraud.

Surveying the Landscape

A variant of business email compromise (BEC), executive impersonation fraud entails a skilled criminal—or group of criminals—crafting an email that looks to be from one of the company’s key executives. The domain of the email address may be identical to the company’s domain except for one or two letters (e.g., [email protected] vs. [email protected] Conversely, the email address might even be “spoofed” so that it appears legitimate — until the recipient hovers the cursor over the address to reveal the real sender.

The criminals do their homework to make their scheme convincing. They typically scour the company’s website and social media accounts to carefully investigate the executive they are impersonating. Additionally, they research their intended target, who will ideally be someone with the authority to initiate or approve transactions such as wire transfers.

Spotting Potential Threats

According to the FBI, executive impersonation fraud and other BEC scams have struck more than 22,000 victims worldwide and exposed more than $3 billion in losses. Given the magnitude of these effects, it is critical that employees are aware of – and recognize – the following warning signs:

  • An email that looks to be from a senior executive comes from an address that varies from the official, company-issued domain
  • The sender conveys urgency or secrecy by asking to communicate only through email (perhaps due to supposed regulatory restrictions)
  • Payments are directed to foreign bank accounts, especially where the company has never done business
  • Requests may occur when the key executive is traveling or unavailable

Creating a Defense Against Cyber Criminals

Executive impersonation fraud relies on employees’ willingness to bypass normal financial controls when asked to do so by an executive. Companies can dramatically reduce their risks with the following basic precautions.

  • Create a culture of skepticism. Skepticism can be an important internal control. Employees should know that questioning authority — especially in regard to initiating financial transactions — is not only allowed, but also strongly encouraged.
  • Build employee awareness of the latest email scams. Employees are a company’s first line of defense against any form of fraud. In addition to companywide cybersecurity education, all employees who have the authority to request, approve, or execute wire transfers should receive regular, specific training on whaling and other various types of social engineering attacks.
  • Implement and enforce a social media policy. Employees should be careful about what they share on social networking sites, especially details about key executives’ travel itineraries.
  • Strengthen controls around wire transfers. First, restrict authority for initiating or approving financial transactions to a few individuals. Then, design and implement procedures to verify the origin of all wire transfer requests. Many companies require verbal confirmation from someone calling from a company-issued phone number followed by secondary verification from another individual via another phone call using an authorization code.
  • Document all of these steps. In the event that these controls fail and a security breach occurs, your incident response plan and documentation will be invaluable for showing regulators and prosecutors that your company implemented reasonable and appropriate safeguards to mitigate data loss.

Let CRI Be Your Cybersecurity Defense Ally

In a world where even an email from your chief executive could be corrupt, it can feel like threats are everywhere. However, defending against executive impersonation fraud requires you to objectively assess your organization’s threats, vulnerabilities, and internal controls. Please contact a CRI cybersecurity professional for more insights on protecting your company from cyber fraud.

Relevant insights

Join Our Conversation

Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.