A corporate security threat that threatens South African organisations with damaged reputations, financial losses, and significant disruption is increasing.
According to Paul Stafford, vice-president for Africa at Mimecast, CEO fraud is on the rise and could cause significant damage.
Mimecast’s State of Email Security 2022 report found that 92% of South African respondents had experienced email-based impersonation fraud, where victims were asked for money, sensitive intellectual property or login credentials. Thirty-nine percent experienced an increase in these attacks and two in five said it was a large increase.
“The pace at which cybercriminals are improving their techniques combined with modern society’s propensity for sharing details of themselves online has created a perfect storm,” he says. “The consequences of a successful attack can be significant: data from the FBI estimates that financial losses in the US due to social engineering topped $4,2-billion, which doesn’t take into account the cost of the disruption and loss of trust.
“South African companies need to take urgent action to protect all layers of the organisation from social engineering and other cyberattack types.”
CEO fraud is a highly targeted form of social engineering in which attackers research potential victims and their companies online, learning everything they can from the company’s website, as well as from information published on social media sites such as LinkedIn, Facebook, and Twitter. It usually leads to instructions from the ‘CEO’ for money transfers or requests for sensitive information that is later used in the service of fraud, extortion or to breach organisational defences.
“Often attackers will find enough information about specific high-profile employees and craft highly realistic emails that appear to come from the CEO or other executive staff members. This is then sent to other employees in the organisation or even to customers, vendors, or partners,” explains Stafford.
“Great care is taken to create an impression of authenticity, and requests are often marked urgent. Because it appears to come from someone of authority, there’s an increased chance that the recipient will act before fully considering whether the instruction is legitimate.”
With many companies now employing a remote or hybrid work policy, more requests are made via email, and since employees can’t simply walk over to the desk or office of the person who purportedly contacted them, some gaps are created for impersonators.
“New employees are often easy targets as they don’t always know who’s who within the organisation. They’re therefore more prone to error and act on what they believe is a legitimate request from a high-ranking company executive,” explains Stafford.
The process of recovering from a successful social engineering attack can be long and costly. “Often organisations have to hire an incident response team, purchase additional security software, retrain employees and make changes to internal policies. It is also hard to quantify the financial cost of the loss of trust stemming from a successful social engineering attack, but it is safe to say it can be significant.”
Stafford says that, to protect the CEO and the broader organisation, companies need to regularly educate employees about the potential signs of CEO fraud and other types of cyberattacks. Companies also need a layered security strategy with well-defined policies and procedures as well as email security technology, anti-impersonation software, DNS authentication services, and anti-malware and anti-spam programs. Most importantly, they need to build a culture of security awareness that starts with the CEO and permeates through every layer of the organisation. This doesn’t only mean knowing how to spot an attack, but also being careful to not share too much personal information online.
“As the regional leader of an organisation, I understand how important it is for senior leadership to drive important business processes and lead by example. Security awareness is one of those important topics that needs to be driven by people at the top. If employees see that their leaders are taking security seriously, they will understand its importance and make sure it’s always top of mind,” Stafford adds.