Over the last few weeks we have seen a significant increase in reports of companies being targeted by a particular type of email scam that has been doing the rounds for a couple of years now.
CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR for example, into executing unauthorised wire transfers, or sending out confidential tax information.
Meath County Council, the most high profile victim in Ireland was targeted in late 2016 when cybercriminals spoofed the identity of chief executive Jackie Maguire and tricked the council into transferring €4.3 million into a bank account in Hong Kong. Luckily the scam was discovered in time and the money was frozen in the Hong Kong bank account. Meath County Council confirmed in June 2017 that the money has since been returned.
There are Four Attack Methods
Phishing emails are sent to a large numbers of users simultaneously with the intention to “fish” sensitive information by posing as known and reputable sources. These emails will liklely have legitimate looking graphics and logos included. Banks, credit card providers, An Garda Síochána and revenue are a few of the common ones. A phishing campaign typically sends out emails to huge numbers of users. Most recipients don’t use that bank, card provider etc, that the mail purports to be from but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.
2. Spear Phishing
This form of phishing is much more focused and will target an individual or small group by gleaning data from social media sites to con the recipients. This email will be personalised and will appear to be from a legitimate bank or organisation that you are associated with.
3. Executive Whaling
Similar to Spear Phishing in that the cybercriminals target individuals. In this case however, the targets are top executives and administrators. The intention here is to siphon off money from accounts or steal confidential data. Personalisation and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.
4. Social Engineering
Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. Social engineering will likely include the mining of information from social media sites. LinkedIn, Facebook and other social media platforms provide a wealth of information about you and your organisation. This may include your contact information, connections, friends, ongoing business deals and more. With the average person having a presence on several social media platforms it is important to be mindful of the information you upload and share.
- Any email payment requests which are outside of normal policy or process.
- Urgent and or confidential requests that do not respect the standard working procedure or trading patterns.
- Any payment requests from senior management that appear unusual or may be for a large amount to an unknown or foreign account where the company has not market presence or relationships.
Most cases of CEO fraud involve a short message, with no links or attachments, suggesting that the CEO is 'busy' and needs some kind of urgent transaction done.
Would you be suspicious of this email from your CEO? However, if you replied to this and were watchful, you might have noticed that the Reply-To address is different to the original From address, as you can see in the header below, and the address, of course, belongs to the attacker. You can also see in the header that some kind of Webmail client was used to send the message.
You don't need expensive software to prevent CEO fraud. As with any form of cybercrime, communication is key. Circulating advisories such as this is an important step in preventing your company falling victim. It is important that staff members are encouraged to question emails that seem suspicious, no matter who they purport to be from without the fear of reprisals from senior management. One very good suggestion put forward by a client of ours was to include a keyword or safe-word in all payment requests to add a level of authentication to emails. In particular the following departments should be extra vigilant.
- Finance Dept
- HR Dept
- IT Dept
- Executive Team