CEO Fraud is a scam where cybercriminals spoof company email accounts and impersonate executives to try to get an employee in accounting or finance to authorize wire transfers, or send out confidential tax information. These are termed 'Executive Whaling' attacks, they are sophiciated and hyper targeted phihsing attacks targeting top executives. Personalization and indept knowledge of the executive are the hallmarks of this type of fraud. According to the FBI, these business email compromise scams have accounted for more than $5 billion in losses between October 2013 and December 2016, with more than 24,000 victims reporting incidents worldwide. Would you take the risk of paying an invoice without checking its validity?
Here are some examples of phishing emails that threaten your business:
Hold on, should I be suspicious of that email from my boss? Yes, always think twice before you pay that invoice or transfer funds!
Just last year such a scam was attempted at a medium-sized French company called Etna Industrie. The firm, which employs 50 people was the victim of a specialised email phishing attack dubbed CEO fraud.
According to an interview CEO Carole Gratzmullter gave with BBC "My accountant was called on Friday morning. Someone said: 'You're going to get an email from the president, and she's going to give you instructions to conduct a very confidential transaction and you're going to have to respond to whatever instructions she gives you'."
The accountant was then emailed from an address with Ms Gratzmuller's name in it, saying Etna Industrie was buying a company in Cyprus.The email said the accountant was going to get a phone call from a consultant working with a lawyer, who would then give her instructions as to where to transfer the money."Everything happened between 9 and 10 o'clock," says Ms Gratzmuller. "The accountant probably got about 10 emails in that time and three or four different phone calls.
The fraudsters pressured her into acting quickly, without thinking - a standard feature of this type of phishing fraud."They didn't give her a moment to sit back and think that this was unusual," she says.
Before noon the accountant had authorised wire transfers totalling €500,000 (£372,000; $542,000) to foreign bank accounts.Luckily for Etna Industrie, three of the wire transfers were held up by the banks, but one for €100,000 went through.
In a post earlier this year we highlighted the Scoular case where highly targeted phishing emails can be, The Scoular Co. lost $17.2 million in June 2014 as a result of phishing. Details of the case illuminate some of the warning signs of a phishing attack. Scoular has international business interests, and wire transfers are frequently used. So it did not raise a red flag when Scoular’s controller received an email to wire $780,000 to a Chinese bank. The email purportedly was sent by the CEO (it wasn’t). The money was to be wired to a real bank, Shanghai Pudong Development Bank. The controller transferred the money.
The next day he received a second email to wire $7 million dollars and to contact his auditing firm for details on sending the money. He then received those details (unsolicited) in email fashioned to look like it came from the auditors.
One of the emails read, “I need you to take care of this. For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company. ... This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
The third and final email received three days later requested an additional $9.4 million. During the investigation of the affair, the controller told the FBI that he “’was not suspicious of the three wire transfer requests’ because there was an element of truth to all of it”. Needless to say, the controller was fired from Scoular.
Phishers are preying on human nature. They collect information about your business from many sources:
In the case of Scoular, the phisher knew the name of their auditors and was aware that the company was pursuing interests in China. Phishers tend to start small and then escalate their requests with each success. Their first request in the Scoular case was for $780,000; their last was for $9.7 million.
As reported by Krebs Security, an employee at another company requesting anonymity received an email requesting a wire transfer of $315,000. She thought the amount was higher than normal, and the email sounded more formal than she would expect from her CFO boss. She did a little checking and found that “the message had been sent from a domain name that was one look-alike letter different from her employer’s true domain name”. The account used to send the email was also not the CFO’s. She did not wire the money. This employee still has her job.
Trust your first impressions of the email and consider the following:
If the message is suspicious, there are some steps you can take:
What is the easiest way to check if an email represents phishing? Use another communication method such as the telephone or snail mail. But do not use the address or telephone numbers in the email. Google the real company website or obtain the real phone number from online white pages or yellow pages. Otherwise, you could be contacting the phishers!
Phishing attacks aren't just increasing, they're also evolving. Email is the #1 delivery vehicle for most malware (not just ransomware) Use advanced spam and malware protection that provides phishing protection. A solution like SpamTitan will block phishing emails before they reach your network.
In addition, the FBI recommends the following:
Training employees to recognize phishing attempts is vitally important, but thanks to the increasing sophistication of targeted phishiing attacks, raising awareness alone isn't enough. Companies need to invest in strong anti spam and anti phishing security technology that protect their employees.
Try SpamTitan to block these spam and phishing emails from ever reaching your users inboxes. Sign up for a FREE SpamTitan trial today.
Sign-up for email updates...