At first, the Facebook friend request looked perfectly normal, but then I realized that this friend, who I have known since middle school, was already connected with me on Facebook. So I looked at the profile more closely and it was clear that this was an impersonation. So I texted my friend to ask if she’d sent the new request and she replied that she hadn’t, adding that someone had recently tried to use her credit card to buy some items from Amazon. Fortunately, she’d replaced that particular card so no money was lost, but clearly, she was being targeted by an identity thief. I suggested she call the police to report it.
What was happening to my friend is a fairly typical set of events that happens in the early stages of identity theft. While this effort was derailed, most people wouldn’t have found out so quickly. Instead, by probing their victim’s finances and assuming their identity on social media, they hope to glean enough personal information to be able to impersonate them in a business setting where communications happen over email.
The process works when the criminal works his way through the organization, steadily moving up the line until the person is able to appear as a senior employee. Frequently, the ultimate goal is to steal the identity of the CEO. Then the criminal uses personal email to open communications with employees who have access to critical corporate information, such as finances and intellectual property (IP). In order to appear legitimate, he may make references to specific upcoming work events, a recent meeting, or similiar event that the target attended, which the identity thief gleaned from social media.
Once an employee is convinced that the criminal is who he is pretending to be, then the requests start. Usually they’re small at first, such as ordering an item for the office. But then they become bigger and more demanding. Eventually the criminal is asking for substantial amounts of money or perhaps that certain IP, such as drawings or specifications, be sent to a third-party address.
Top Identity Management Solutions
CEO Fraud Attempts Are on the Rise
These schemes may sound far-fetched but they’re the basis for “CEO Fraud,” which is happening with depressing regularity. The folks at security training company KnowBe4 relate one such scam in which an employee was sent scurrying around town in search of 20 Apple iTunes gift cards, each worth $100, ostensibly to send to clients.
But the examples get worse, and in some cases, hundreds of thousands of dollars have been wired to off-shore bank accounts after a criminal pretending to be the CEO of a company made such a request to a particularly gullible accounting department. While this process works like any number of confidence scams, there are steps an IT department can take to minimize the chances of it happening to your organization.
7 Steps for Minimizing CEO Fraud
Those steps include telling your staff that these attempts are possible, describing the forms they’ll take, and letting them know that the company security staff is ready to help. It’s also a good idea to then create a set of rules employees should follow regarding both response and reporting. Here are some suggestions for CEOs and other senior management:
Send out an email to all employees to let them know that employees are being targeted by bad guys who want to work their way into an organization. Tell them that they should be aware of attempts at identity theft, including imposters showing up as them on social networks.
Request that employees inform the security staff when they suspect they’re being approached by identity thieves; this includes attempts to steal credit card numbers. Even if the attempt is just a random skimmer, your staff will appreciate knowing that you’re willing to help.
Watch for patterns. If you start seeing an increase in identity theft attempts against your employees, then it” a sign that you may be the real target. Warn your employees.
Set up some specific things that you will never ask your employees to do. This may include buying gift cards, asking them to take any sort of official action on the basis of an email sent through a personal account, or asking them to email funds or IP to third parties on the basis of an emailed request sent through personal email.
Protect the personal contact information, including the physical address, personal email address and personal phone numbers, of your employees to make it harder for thieves to target them.
Periodically scan your employees’ social media accounts for signs that someone is impersonating them. This would appear as a second account with their name and usually their photo. While the employee may have two accounts for a reason, such as one for personal use and one for business use, you should ask them.
Once you’ve made the rules, stick to them yourself. If you really need 100 iTunes cards, then order them from Apple using the appropriate rules supplied by your organization’s purchasing department.
Whether it’s identity theft or simply identity spoofing, these activities are often the first stages of a phishing attack because the attackers need enough information to make their messages appear credible. Phishing attacks are the single most successful method behind data breaches because they overlap with simply user negligence. Stopping attacks before they happen means you can save your organization from the significant costs associated with a data breach.
And don’t think that it won’t happen to your company because it’s too small. Regardless of size, most organizations have the minimal value points these kinds of criminals are seeking: money and access to other companies.