Peebles Media Group is suing a former employee who fell victim to a CEO Fraud email which cost her employer almost £200,000.
CEO Fraud is a common type of cyber-crime which targets businesses. Because the CEO or Managing Director of a firm is easy to identify – often being listed on the company website or LinkediN – fraudsters are able to create emails which appear to have been sent from the CEO. These emails contain instructions for staff to perform a financial transaction or contain an attachment loaded with malware. Because the email purports to come from the CEO staff are more likely, it is thought, to open the attachment.
In the Peebles Media case, the CEO was on vacation at the time the fraudulent emails were sent to the firm’s Financial Controller who acted on the instructions and paid funds to the fraudsters. The firms bank was able to recover £85,000 and the firm is now suing the employee for the outstanding £107,000. The fact that the CEO was on vacation at the time of the fraud may indicate that the firm had been profiled by the fraudsters for some time and they were tracking the CEO using social media and struck when they knew the CEO was out of the office for an extended time in order to make the attack more likely to succeed.
One of the pillars of the employee’s defence is that she claims she never received any training from her employer on how to spot and avoid cyber-fraud.
Employee education and awareness training is an essential part of any information security strategy and is required under standards such as Cyber Essentials, PCI-DSS and ISO 27001.
An effective way to remind staff to stop and think before they open attachments in emails sent from outside your organisation is to include automatic disclaimers configured on your mail server. Office365 offers this facility, for example, as described in this document: https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/disclaimers-signatures-footers-or-headers
Adding disclaimers for any email originating from outside your organisation is a helpful reminder to staff to beware attachments. By adding a further warning if the SPF validation fails (which indicates the true sender is not as displayed in the FROM header of the email) will further highlight attempts by third parties to impersonate internal users- a clear red flag.
The Cyber Essentials scheme provides an easy to follow framework for businesses to ensure their cyber-security is appropriate and effective. Further advice is available from the UK Government for Small Businesses on how to protect themselves from cyber-crime here: https://www.gov.uk/government/publications/cyber-security-what-small-businesses-need-to-know