Cyberattacks on companies: CEO fraud and unwanted emails

Fiona Egli
May 30, 2022
Cyber, Digitalisation
Stowaways in the electronic post: over 90 per cent of cyberattacks in companies start with an email. Employees divulging confidential information or clicking on malicious attachments and links can result in significant financial losses and reputational damage for companies. How can companies and their employees ensure that this doesn’t happen with the huge amounts of emails they receive every day?

Emails – a means of communication and the basis for cyberattacks

Emails are the most widely used method of communication within a company. They also happen to be the favoured method of starting a cyberattack. A total of 91 per cent of cyberattacks in companies start with an email. Almost all of these attacks via email require the recipient to actively open an attachment, click a link or transfer money.

These malicious emails can be divided into two categories: those with malware and those without malware.

Emails with malware

Emails without malware

CEO fraud causes unwanted transactions worth millions

One example of an email attack without malware that has caused significant losses in recent years is CEO fraud. According to an FBI report, cybercriminals generated over USD 26 billion (CHF 25 million) through CEO fraud from 2016 to 2019. CEO fraud attacks involve hackers impersonating a company CEO and asking employees to make financial transactions or send confidential documents. The hackers hope that the employees won’t sufficiently verify the authenticity of the request due to stress and pressure from managers. In most cases, the money transferred is permanently lost, as it is immediately siphoned off to a number of different accounts after the initial transfer. This means the money cannot be traced quickly enough, so the transaction cannot be reversed.

Raise awareness to avoid email attacks

How can companies and their employees ensure that this doesn’t happen with the huge amounts of emails they receive every day? New attack methods emerge on a regular basis. IT security departments need time to adapt their company security systems to each new type of attack and ensure that the emails don’t make their way into the inboxes of the employees. This is why employees should check the spelling of the sender’s address and refrain from clicking on any links or attachments. If the sender of the suspicious email appears to be a line manager or colleague, it is essential to call that person to verify that they did actually send the email. “In these situations, corporate culture makes a huge difference. Employees shouldn’t hesitate to double-check or report suspected cases to the IT helpdesk,” says Marc Etienne Cortesi, Chief Information Security Officer at Baloise. The IT team can only make the necessary changes to the security systems if they are informed about the emails.