CEO Fraud: When an email looks like it's from the boss, but isn't

shadow

 

According to security researcher Brian Krebs, businesses worldwide have lost over $1.2 Billion to a scam known as CEO Mail Fraud.  This becomes possible when the CEO's email account is compromised by a cybercriminal, who sends a wire transfer request to a controller or bookkeeper, using authentic-sounding wording.  Criminals have even pulled off this scam by registering a fake domain name one letter different than the real company domain name, without even compromising the CEO's email account.  This was the case with Ubiquiti Networks, which lost a total of $46 Million to fraudulent wire transfers sent from a fake email account to the special assistant to the corporate controller, reports Krebs:

http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/

The worst case is when the CEO's real email account is compromised, but cybercriminals don't even need to do that.  All they need to do is some research.  If they can recover the CEO's email and that of the controller or bookkeeper, they can set up a fake domain.  Consider a company called Solid XYX with an Internet domain name registered as solidxyz.com .

How the bad guys set up the scam

The bad guys do some company research and find the emails of the big boss and the company controller.  Let's say the CEO is This email address is being protected from spambots. You need JavaScript enabled to view it. and the controller is This email address is being protected from spambots. You need JavaScript enabled to view it. .  Next, the scammer goes to the website of a hosting provider which offers free website registration for 30 days (no out of pocket expense for the hard-working criminal!).  There he registers a site under the domain name so1idxyx.com, only one character different from the real domain name, solidxyz.com.  After a few minutes of configuration they set up an email account as This email address is being protected from spambots. You need JavaScript enabled to view it. and send the following email to the controller:

-------------------------------------------------------------------------------------------------------------------------------------------

This email address is being protected from spambots. You need JavaScript enabled to view it.

to: me

Diane:

I've just made a commitment to order supplies from a new vendor, and need to deposit an advance to cover their set up costs for the production run.  Kindly make a wire transfer to the account in the attached PDF in the amount of $18,450.  You can code this to the account for Administrative Expenses.  Please let me know as soon as the transfer is complete. 

Thanks

-------------------------------------------------------------------------------------------------------------------------------------------

Depending on how busy Diane is, she might not catch that the email is from the wrong domain.  If her email client uses Times New Roman, she won't even see the difference as the characters for "l" and "1" in that typeface are identical.  The bigger the company is and the busier the controller is, the more likely this scam is to succeed.  It may seem too obvious, but read the story linked above.  Ubiquiti Networks lost a total of $46 Million to this exact method.  http://fortune.com/2015/08/10/ubiquiti-networks-email-scam-40-million/

Cybercriminals can also use domain spoofing, sending a fake email from the boss's real email address, to pull the same scam.  Proper systems administration can put email authentication methods (called SPF, DKIM, and DMARC) in place to prevent domain spoofing, but there is no defense against the fake domain gambit except training your employees how to recognize fake emails.  The best training programs will follow up by sending test emails at random to employees who have completed training.  Anyone who falls for the scam will get a phone call instead of finding out they actually sent a wire transfer.

Does your company have Email security measures in place?  Do you know how to check?  Do you need to train your employees?  

P3iSys can help!  Want to find out about training opportunities for your office staff to prevent falling for scams?  Fill out the form at right or call our office!