How confident are you that your employees would recognise a scam email if they received one? Would they really be able to tell the difference between an email from a C-level executive versus an impersonator? What if your executive’s email account has been compromised?
Executive impersonation is a playing field rife with opportunity for cybercriminals. Why? Because executives commonly issue requests involving large sums of money or critical data to their employees – and these requests are often obeyed without question. Easy pickings.
The victims don’t belong to any particular industry. Often, the cybercriminals will stumble across a compromised business email system, either through a phishing scam or by specifically targeting a vulnerable business network.
As a result, thousands of team members unknowingly allow imposters to infiltrate businesses and steal millions of dollars.
So, what can you do to ensure your business isn’t the next in a long line of victims?
#1: Create a culture of scepticism
Obviously every company wants a positive culture, but skepticism is a valuable tool when it comes to online security. Employees should be encouraged to question unusual emails, whether from their direct manager or the CEO – especially in regards to initiating financial transactions.
Educate employees on re-reading emails, and keeping an eye out for clues. Would your boss really greet you like that? Is that name spelled correctly?
#2: Stay across the latest scams
It’s encouraged to keep your team up-to-date on the latest scams – and not just the IT professionals (especially given these employees are the least likely to fall for the attack!).
If there’s a new scam popping up that has the potential to trick your employees, awareness is critical. The more people are educated on what’s possible, the more likely they are to follow step one and question everything.
#3: Strengthen controls around finance
Every business should have strong internal controls when it comes to financial transactions – but just because they’re strong doesn’t necessarily mean they have to be complex. In many cases, the requirement of a direct phone call to a finance controller could prevent a lot of mistaken transactions.
Secondary authentication is the key here. Whether it’s an authorisation code in another platform outside of email (such as SMS) or a phone call with verbal confirmation is up to what works for your business.
#4: Practice good email & password hygiene
Block spoofed emails from being allowed into your organisation by configuring your mail services with DMARC and, if possible, set your system up so employees must update passwords on a regular basis.
We also strongly recommend two-factor authentication for all accounts. That way if a password is compromised, at least the hacker will not have immediate access to the account – which means you’re less likely to experience executive impersonation fraud.
#5: Document all security processes
Don’t assume your team members know what to do! It’s important to keep a record of all security processes, so each employee has the opportunity to review if they encounter any potential threats.
This is also valuable if a breach were to occur. Your team will know what steps they need to take in order to get the issue resolved ASAP.
#6: Work with a professional online security team
The digital landscape is constantly evolving – and as technology continues to advance, cyber activity becomes more sophisticated and prevalent. While there are a lot of preventative measures you can employ internally, it’s always recommended to work with an expert team you can rely upon.
FraudWatch has decades of experience protecting businesses across all industries from online fraud, including executive impersonation. Get in touch with one of our specialists today to see how we can help your business.