Criminal gangs are using LinkedIn and direct emails to perpetrate “CEO fraud”, mining the social network for information about job titles and a company’s chain of command to impersonate senior executives and give bogus orders to those below them.
The frauds typically involve an email purporting to be from a finance director or chief executive sent to an underling in the company’s finance department, ordering them to transfer money quickly to a bank account for a specific reason.
The attackers use LinkedIn to do corporate reconnaissance. It tells them a lot about who does what in an organisation. Most of the time people follow instructions they get on email, especially if it’s from a boss. If an email looks like it comes from a certain person, why wouldn’t someone believe it was from them?
A report last year from the City of London police’s National Fraud Intelligence Bureau showed that £32 million had been reported lost as a result of CEO fraud in Britain. The actual figure is likely to be far higher, as many may not realise they have been hit. Action Fraud, the cybercrime reporting centre, reported last year that the average loss is £35,000, but one company lost £18.5 million.
Most organisations now train staff to spot phishing attacks. Many cybersecurity systems can identify malware and malicious websites, but this often fails to stop diversionary payment fraud.
Please be careful, make sure your staff are aware and put procedures in place to stop same day transfers of money being actioned from an email cyber security.