A German court has ruled that an employee can be held liable for damages caused by instances of CEO fraud that affect their employer.
In October 2017, the Regional Labor Court of Saxony ruled that a financial director can be partially liable for the damage caused by a case of CEO fraud. Their accountability was ultimately limited however, the court found, because the liability privilege developed by German labor courts applies to CEO fraud. Under that common law, employees are responsible for damages only if they demonstrate gross negligence. While the employee did violate their employer's internal safeguards, the court ruled she acted in the commercial interest of the company.
CEO fraud is a type of scam where attackers use social engineering techniques to impersonate the CEO or another company executive. To achieve this disguise, bad actors might create an email with a domain that looks similar to that of a target company. Alternatively, they might conduct a business email compromise (BEC) attack and hack the executive's email directly. In either case, the scammers leverage that mask to fraudulently authorize a wire transfer from the financial department to an account under their control.
The FBI has received reports of BEC attacks from all 50 states and 131 countries. In total, these scams have claimed over 40,000 organizations as victims and caused more than $5.3 billion in damages worldwide since October 2013. Between January 2015 and December 2016 alone, the losses exposed by BEC attacks increased by 2,370 percent.
Corey Williams, senior director of products and marketing at Centrify, feels the court's ruling makes sense given the FBI's statistics:
"It's not surprising that an employee could be held liable if they act with gross negligence. It was a German court that passed down the ruling, so the laws here could be different. On general principle, it's reasonable. Basically, it comes down to intent. If you know you're not supposed to be doing something but you do it anyway, you could be held liable. But not if the employer hasn't followed its own procedures and clearly communicated internal safeguards to its employees."
Towards that end, Williams feels that defending against CEO fraud should take on a multi-layered approach. Organizations should start, he explains, with ordinary business controls. These measures should include proper documentation, such as matching a wire transfer request with a purchase order, and appropriate layers of approval, such as receiving confirmation from the CFO. Companies can then move up to security controls like multi-factor authentication (MFA), risk-based access, and privileged access security. Finally, companies can top off all their business and security controls with adequate security training of their entire workforce.
Williams has some additional advice for companies particularly concerned about CEO fraud:
"Many attack emails originate from lookalike domains that attackers have registered in an attempt to impersonate a target company. That’s what happened when malicious actors targeted Centrify's CEO a few years back. Organizations could just defend against these messages using email-filtering solutions. But I'd recommend companies with means proactively buy up some of those domains to prevent them from being misused."
For more information on CEO fraud and how to defend against it, download this threat briefing.