IT3000: Stay Safe Online – CEO Fraud and Spear Phishing

What Is CEO Fraud?

CEO fraud is a type of spear phishing scam where fake emails, that appear to come from a company director, are sent to employees instructing them to transfer money to fake accounts.

What Is the Difference Between Phishing and Spear Phishing?

Phishing attacks are when a mass generic email is sent out to hundreds or thousands of people in an attempt to gather information from them. This information is then often used to try and gain access to bank account details.

Phishing emails will often mimic emails from banks, subscription services and social media sites.

For more information phishing scams check out our blog post

Spear phishing however is a targeted attack on a company or individual. The scammer will carry out extensive research in order to make the scam appear as convincing as possible. Company websites, social media accounts and companies house can all be used by scammers to gain enough information to make their emails seem convincing and plausible.

The spear phishing scenario that is seen most frequently is where an employee receives an urgent email from a director instructing them to make an immediate payment. The tone of the email and the fact that is from a senior member of staff causes the employee to panic. They make the payment without asking any questions.

How Do I Protect Myself and My Business Against Spear Phishing Attacks?

Spear phishing is becoming increasingly more difficult to detect however to minimise the threat to your business we recommend that:

  • You set a protocol for payment instructions – for example if a staff member receives an email instructing them to make a payment, even if this instruction is from a senior member of staff, they must confirm the action via telephone. This should also apply to external agencies such as accountants etc. A company was attacked back in 2016 when scammers targeted their accountant.
  • You brief all staff on phishing and spear phishing scams and urge them to be vigilant when checking all emails, even those that appear to come from someone internal.
  • You urge staff to check emails for errors that might lead them to believe it is a scam – these errors may be spelling mistakes, incorrect use of grammar and discrepancies in the design of the email (for example on closer inspection the email signature may not be the same as that used by your business but rather a clever copy).
  • You inform staff to be wary of links and attachments.
  • You instruct staff to check the senders email address, at first glance it may appear to be legitimate but on further inspection you may notice that the address is actually incorrect. For example, the below image is a snippet from a phishing email that impersonated Microsoft. At first glance the email appears genuine but as you look closely at the email address you can see that is coming from which is not a legitimate Microsoft email suffix.

What to Do If You Think You Have Transferred Money to A Scammers Account?

Call your bank IMMEDIATELY and inform them of the situation.

Report the scam to the police through Action Fraud on 0300 123 2040, or report a scam anonymously on its website.