As if there aren’t enough cybersecurity threats in terms of viruses, phishing, spear phishing, malware, ransomware — there is another threat that has emerged over the past few years that comes with a high price: CEO fraud.
CEO fraud is one of the most costly forms of cybersecurity attacks for businesses and organizations of all sizes and industries worldwide. According to the FBI, it is a form of business email compromise (BEC) by transnational criminals (individuals or groups) that target an organization’s key employees — typically those who have access to company finances — by using deceptive practices to get them to make wire transfers to fraudulent accounts. The emails convey a sense of urgency to get the person to comply without first checking with a colleague about the veracity of the transfer.
An email account compromise (EAC) is a form of BEC phishing email in which the perpetrators impersonate a company executive, commonly a chief executive officer (CEO) or chief financial officer (CFO), to extract or extort money to get employees to perform what would normally be considered a routine transaction. The attacker takes their time to study the CEO or CFO to learn their habits and communication styles to spoof or hijack their email account and effectively masquerade as them.
This type of crime is a serious issue for companies that results in significant financial losses. The FBI’s Internet Crime Complaint Center (IC3) reported a 2,370% increase in “identified exposed losses” from BEC/EAC attacks between January 2015 and December 2016. Between October 2013 and December 2016, organization around the world reported losses of more than $5.3 billion for domestic and international organizations.
What can be done to address this growing concern? Dual factor authentication (DFA) can provide some solutions.
Dual Factor Authentication/Two Factor Authentication
You’ve likely heard one or both of these terms that are often used interchangeably. Dual factor authentication (dual-factor authentication or DFA), also known as two factor authentication (two-factor authentication or 2FA), is a form of multi-factor authentication (MFA) that requires multiple types of information to confirm that someone is an approved or authorized user. Authentication, which is an integral component of online transactions, is also a weakness without the right protections in place. These verification requirements are significantly stronger than using traditional usernames and passwords alone.
Much like how it sounds, DFA is a form of identity verification that uses two forms of information — something you know (password or other information), something you have (a fob, USB device, or app on your mobile device), or something you are (biometric data such as a fingerprint, voice or facial recognition) — to verify that you are who you claim to be.
1. Use DFA/2FA for Company Account Login Information
This process of making two factor authentication a requirement of access for every company account should be implemented in all organizations to increase security. It is helpful for protecting users’ accounts from hackers who want to use stolen credentials to gain access to email accounts or other vital company accounts or data. If
This is especially important for companies whose employees access their servers, networks, or accounts remotely. A good rule of thumb is that if the credentials being used are being accessed from an unknown internet protocol (IP) address or a blacklisted location, DFA/2FA authentication methods should be implemented.
2. Enable DFA/2FA on Organizational Email Accounts
This approach is another way that you can help to prevent CEO fraud from affecting the email accounts of users within your organization. Enabling two factor authentication on your official email accounts for remote access makes it so that the user must have not only access credentials such as a username and password, but they also must have access to input a specific time-sensitive text message code from their mobile device.
By securing your organization’s email accounts through this layered authentication approach, it helps you to ensure the email accounts are less likely to be hacked. If a hacker can’t gain access to the login credentials, then it makes it more difficult to pull off an attack.
3. Make DFA/2FA a Requirement of Any Transfer Process
When it comes to something as important (and costly) as the transfer of money or data, two factor authentication should be an integral part of the process. Create an organizational policy and procedure that requires the use of dual factor authentication methods to verify that the transfer was genuinely approved by the right people for the transfer of funds or data. This could involve requiring users who make a transfer to physically have to call and verify a specific code with specific leadership before the transfer can be made.
However you choose to utilize multi-factor authentication methods, just be sure that you do it. As you have read from the FBI and IC3 statistics, this is a serious and rapidly increasing issue facing businesses worldwide.
What are your thoughts? What are some other ways that dual factor authentication/two factor authentication can be used to prevent CEO fraud? Share your thoughts in the comments section below or send me an email to chat about it more in depth.