Did You Get an Urgent Email From Your CEO?

illustration of a laptop with an email with an alert on its screen
Laura Lynch Photo
Products & Services Manager

1 minute

Before you respond, consider whether it’s a fraud. And take these steps to combat future business email compromise.

You’re at your desk. You’re opening and responding to emails on a busy day. You have just a few minutes before heading into a meeting. Then you see it: an urgent email from your CEO who’s away from the office and needs a confidential document sent right away. 

Do you hit reply to respond quickly before your meeting begins? It’s always looks good to help your top exec expediently. Or, do you pause and take a closer look at the email and its request? To do this might mean not responding until after your meeting.

After learning about business email compromise, I know I’ll stop and take a closer look.

In a recent 16-minute CUES webinar, Ray Murphy, cybersecurity strategist at CUES strategic provider LEO Cyber Security, Dallas, Texas, and former CISO at $103 billion Navy Federal Credit Union, Vienna, Virginia, explains how BEC works and provides several examples.

“BEC is a scheme in which an attacker impersonates an executive and tries to trick an employee into transferring money or providing sensitive data,” Murphy says. A form of phishing, there is an urgency about BEC emails that helps move people to fall for the scam. A variety of social engineering techniques may be employed to try to get the recipient to perform the requested transaction.

Murphy cited the 2018 FBI crime report, which identifies BEC as a high priority for all businesses. There were more than 21,000 BEC complaints to the FBI in 2018, and the actual losses from these complaints exceeded $1.2 billion.

In the webinar recording, he also provides details about these simple steps to combat it, including:

  • Keep employees educated about BEC through a comprehensive information security education and awareness program
  • Assess your employees’ phishing awareness by sending out a fake phishing email and providing training for any who fall victim to your simulated attack
  • If you personally get such an email, pick up the phone and call the person who “sent” the email to confirm details
  • Add the word “external” to any emails originating outside of your organization

Laura Lynch is CUES’ products and services coordinator.

Learn more about the cybersecurity risks facing your CU and the ways you can prevent them with CUES’ partner LEO Cyber Security. The company offers a complimentary security posture interview based on the National Institute of Standards and Technology Cybersecurity Framework Cybersecurity Framework. The interview takes 90 minutes to complete and give your credit union a cybersecurity profile to help executives make risk tolerance decisions.

CUES Learning Portal