Got an email from the CEO requesting urgent payment of an invoice (or something similar)? Don’t rush in to get the job done, because you might just be participating in a clever new social engineering hack. In other words, that email might not be from the boss at all. Instead, you might have received an order from a hacker, to pay a hacker.
It’s a con as clever as it is simple: a hacker intercepts company information, some of which is freely available, creates an email address which looks like the one which belongs to the real boss, pops it off to the target in the finance department along with a fake invoice, and hits payday.
It works, too. Anyone can be a target; we’ve recently seen companies falling victim to this scam and in the process, losing thousands of dollars. In one case, the email legitimately came from the CEO’s email address. But the email account had been hacked, so the attached invoice which the unfortunate staff member paid, was anything but legitimate.
Security specialist Trustwave (which produces the industry-recognised Trustwave Report, which tracks information security trends) has a detailed blog on the fake CEO con. It says the ‘CEO Fraud is a type of Business Email Compromise (BEC) scam that has witnessed such explosive growth over the past 18 months, amid billions of dollars of losses, that it prompted an FBI warning.’
It is a major problem and it is costing businesses around the world – and right here in Australia - major money.
Trustwave continues: ‘What makes these hustles so worrying is that the senders go to great lengths to ensure their ruse sounds legitimate and won't raise any suspicion. This includes conducing reconnaissance on the company (via the corporate website, social networking accounts, etc.) in order to tailor a more believable message and impersonate the sender by either spoofing their email address or compromising their email account. As a result, the CEO Fraud is quite distinct from mass spam, which often contains obvious junk mail elements and for which companies tend to have better controls to guard against.’
While keeping these phishing emails out of the corporate network in the first place is the obvious and most optimal solution, it isn’t always possible. Hackers are smart and when there is a lot to gain from minimal effort, they become even more wily. Add to that, the concept of a network perimeter is fast becoming outdated in the highly-integrated, mobile-driven world.
Here are Trustwave’s recommendations to avoid the CEO Fraud:
- Verify, Verify, Verify
You must have policies and procedures in place for handling emails that request wire transfers and other sensitive information. This might be something as simple as requiring that email recipients pick up the phone to verify the request directly with the email sender, double-check with the chief financial officer and/or notify the IT department. If you're unsure about the payment details referenced in the email, contact the vendor to whom you allegedly owe the balance. You also should consider requiring dual-approval for all wire transfers with the idea that if two people are required to initiate and authorize a transaction, it is more likely that someone will catch on to a scam. Finally, it's essential that the CEO and other top executives are on board with this plan (and won't chastise an employee for playing it safe).
- Make Employee Education a Priority
Aside from just generally making employees acquainted with CEO fraud, you should teach workers how to spot offending emails. This blog post offers several examples of what CEO fraud emails tend to look like - notice that even though the messages are well crafted, their language, tone and style will likely appear off from how your CEO normally writes. Follow some of these tips to develop a well-liked security awareness program.
- Beware of Other Tricks
Even if you've caught on to the scam, the miscreants will likely keep the jig going to try to assuage your apprehension. So expect the social engineering to continue even if you claim to have them figured out. Keep in mind, too, that the attackers may shift to the phone to lend more credibility - or skip email entirely. Phone calls may be even more convincing and effective for the criminals because they present an immediate high-stress scenario where the caller puts the target on the spot.
- Consider Two-Factor Authentication
You should consider adopting an additional step of authentication for access to email accounts. Note, however, that this will only help in the cases in which the impersonators compromised an executive's email account, not when they spoofed the sender.
When in doubt, your employees must ask themselves: Is this an email they were expecting? If the answer is "no," they should trust their gut and follow up on their instinct.
Trustwave’s advice on how to avoid falling victim to the CEO Fraud is excellent.
At Techware, we’ll add one other extremely valuable piece of advice: Information security is everyone’s business. That means everyone. From the front desk, to the back office, from the interns to the CEO, information security has to be a part of company culture – or weak points will exist which can be exploited by determined attackers.