‘CEO Fraud’ Is The CEO’s Fault

Whichever way you look at it, the > $2Bn lost in ‘CEO Fraud’ is the CEO’s fault. Maybe not so much the first couple of cases (the ‘zero-day’ ones), but from that point forward, falling for such an obvious scam is indicative of broken processes that all point back to the CEO.

Even one of the most basic tenets of security; that of split-knowledge and dual-control, is all that was required to prevent these attacks! NO-ONE, including the CEO, should be able to authorise these transfers, and NO-ONE, not even the CFO, should be able to perform one.

Not for all transfers obviously, but when we’re talking hundreds of thousands to tens of millions, how was a single person able to proceed without sufficient checks and balances? For God’s sake, a simple CALL to the CEO’s mobile would have sufficed!

So, in the several thousand companies that have fallen for this scam, we can make several assumptions:

  1. The CEOs are above the processes of other employees – I have to believe that the transfer of [for the sake of argument] $100K requires the completion of a form of some kind. That form is then signed by the requestor, and forwarded on to finance for action. In every case where the fraud was successful, the process began with nothing more than an email.
    o
  2. The CEO is ‘God’ –  In this particular case, an accountant transferred $480K based on an email, then only became suspicious when asked for a subsequent $18 MILLION. Seriously? It didn’t occur to the accountant to call the CEO just to make sure? Is the CEO THAT unapproachable that s/he won’t take a 20 second phone call for $480K!?
    o
  3. There is zero oversight on the finance departments – As in the above case, there were clearly no checks and balances in place to confirm authorisation of a transfer, and no-one below the accountant thought to question their own actions based on largely undocumented request? Just following orders were they? What does THAT say about the company culture?
    o
  4. The Information / Cyber Security program is a shambles – Even the most basic Security Awareness & Training programs have sections on social engineering and fraud techniques, and no matter how well a thief did their homework, these emails should have been a huge red flag. How is it that people with such enormous impact on a business (i.e. finance) have no training in cyber security basics / essentials?
    o
  5. The organisations have zero ability to address the prevailing threat landscape – How easy would it be for the information / cyber security departments in these organisation to send out ‘mandatory-read’ emails to all-staff warning them of the ‘new’ threat? How do mitigation techniques not make their way into business process after a significant change in the threat landscape?

The saddest part of all this? This type of fraud is ON THE RISE!! Despite the significant press, despite > $2 BILLION in losses, organisations all over the world still haven’t taken appropriate action.

My most used phrase; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEO’s fault, and no-one else’s.“.

In this case, replace “[enter any goal here]” with “immunity from email scams” and apply it the assumptions above. We can determine that;

  1. the CEO’s vision for the organisation does not include an appropriate security program – If they can’t even take care of their own MONEY, what is the chance they can take care of your sensitive data?
    o
  2. the CEOs put themselves above the company values – No company that I know of has ‘Do as I say not as I do.’ as a published value, but clearly the rules do not apply to these folks.
    o
  3. the direction of any organisation is towards its goals. Obviously. How does the loss of hundreds of thousands of €/£/$ and the sheer embarrassment of falling for this attack add to the company’s bottom line?
    o
  4. unfortunately security is up there with ethics when it comes to CEO priorities. They are a cost of doing business, not fundamental processes that add significant ROI when done properly.

The better CEOs who have been victims will look at the root cause of their incident, point their finger squarely in the mirror, and fix it. The rest will fire the finance person and leave themselves open for the next threat. The best CEOs led their company by example, and didn’t fall for the attack in the first place.

Which do you want to be?