…or did she?
I got an email from Diana the other day asking me to transfer some company money to the listed account – because if I didn’t our Microsoft 365 account would be deleted. It also conveniently explained that she was in a meeting and could not be contacted because the client she was with would get upset.
I had a couple of issues with this email:
- We have a well established protocol for paying bills in our company – which includes a text message based procedure if an out of sequence payment needs to be made.
- Diana was sitting across the office from me at the time!
You may not be so lucky and know exactly where your CEO is when you or one of your team gets a similar email. Or may be you will know exactly where they are, because their children have posted on “Instatwitface” – tagging the company account – that the whole family are getting on a plane to Florida. The threat actors also saw this and now know you cannot check the validity of the email.
Do you have a procedure in place for this or a similar situation? We do.
CEO Fraud
I read an excellent article on TerraNova Security this morning discussing just this type of cyber attack, CEO Fraud – which reminded me of my email – it goes into some of the ways this attack works and the mitigations that help defend against it.
Interestingly it also speaks about this type of email arriving late in the late, when people are in a hurry to complete the day’s work and then get off home. If you are in a rush, then you could miss something. We discussed the cyber security risk that rushing caused the other day:
CEO fraud often arises when email systems are compromised. How does that happen? Well one way is that a set of credentials have been compromised which had too many privileges for the role. Once in the threat actor can appear to be the CEO sending out emails. There is one great way to defend against this type of attack – monitor when rules are created in Outlook, as these are required by the threat actors to cover up their attack.
So have a read of the TerraNova article and see if you can defend against CEO fraud.
Don’t Be A Victim of CEO Fraud | Terranova Security
May be your team needs some training…
Cyber Security Awareness Training
At Smart Thinking we deliver our awareness training in a variety of ways:
Interactive webinars to many – ideal for small companies but you may not be able to ask sensitive questions because others will there – but I always take private questions after the meeting. These sessions are not recorded.
Interactive webinars to one company – your own private session. Customised for your own situation. Ask what you want. These sessions are recoded and so you can use them with new starts of people who could not make the live session.
Online training – suitable for large and small originations. Everyone works at their pace, multiple short video sessions (5-10 minutes), online tests and assessments and even certificates. Management reports are available so you can see who has completed the courses. Have a look at CyberAwake for the details.
Bespoke – of course. Call me and we can discuss the awareness campaign that will cover all your special requirements. (Do you have French or German speaking members of staff?)
Clive Catton MSc (Cyber Security) – by-line and other articles