Executive impersonation: A growing threat

Explore the issues related to the growing threat of executive impersonation and how these schemes that prey on human fallibility can be mitigated.

The American Institute of CPAs (AICPA) issued a report on the growing threat of executive impersonation, in which criminals claiming to be corporate executives convince employees to send them sensitive documents and company information. Sophisticated hackers usually research their target and the company as a whole in order to craft highly convincing emails. Using information gleaned from mining corporate websites and social networks, the impersonations used in the emails can be accurate and convincing.

Key characteristics of the scheme:

  • Email requests appear to come from a senior (C-suite) executive or a key vendor or supplier.
  • The email address is substantially similar to the purported sender’s address, with very minor, subtle differences.
  • Requests occur when the executive is travelling and cannot be contacted.
  • There is an element of urgency or secrecy regarding the disbursement.
  • The amount is within the normal range of transactions so as not to arouse suspicion.
  • Other employees are referred to or copied in the email; however, their email addresses are slightly modified.
  • Requested payments are payable to a foreign bank.

More robust controls, including two-step authentication of transactions, enhanced employee awareness training, informed verification of transfer requests and evolving IT controls can detect these attempts before they result in losses.