It’s an old, but still effective scam. Your Chief Financial Officer or Accountant receives an email from the Chief Executive Officer with an urgent request to wire money. Only the email is not really from the CEO, it’s from a hacker spoofing the CEO! Surprisingly, this tactic actually does work! The CFO or Accountant, who may frequently receive this type of request, wires the money as instructed, and only after the fact the real CEO finds out about it. This type of scam is called both Business Email Compromise (BEC) and CEO Fraud. The scam is so effective that the FBI reports that the total dollar loss to BEC scams from October 2013 to May 2016 worldwide was over 3 billion dollars!
BEC or CEO Fraud targets companies of all sizes and is preceded by a phishing campaign or malware to learn information that will camouflage the scam. The hackers using social engineering techniques to research the company, sending phishing emails, calling to request information, as well as researching the company online and on social networking websites. Malware such as keylogging malware might be installed through email attachments. Then the email sent to request the wire transfer is sent from a name and domain that is similar to the executive’s real email address, thus spoofing the executive’s email. BEC emails use language that is specific to the business, dollar amounts that are common for the industry, and email formats used by the company. They are always marked urgent and are frequently sent when the spoofed executive is out of the office (which they often know from social media posts).
Two individuals at one of our clients recently forwarded emails that they had received. We’ve removed the identifying information to show them to you. Though most BEC scams these days are difficult to detect, these were not sophisticated emails and were very easy to identify as a scam. The request appeared to come from the CEO, but the domain of the email was not the name of the company. One of them was from “mail.com” – a free webmail application (#1 in image) and the other misspelled the domain name (#5 in image). In the first email, the URL of the company, in the email signature, did not end in “.com” as it should have, but rather “.coma” – a not real top level domain (#4). To top it off, the first email had two grammatical/spelling errors: The first word of a sentence was not capitalized (#2) and the word “advise” was incorrectly spelled “advice” (#3). What’s missing from both emails is the dollar amount of the wire transfer and instructions for where to send it, though this is frequently provided in a follow-up email (after the CFO responds to the spoofed CEO).
The person who sent the first email considered it “spam” and asked if we can prevent such emails from being sent to their company. The second person said that the CEO’s email had been hacked again. Actually, the CEO’s email was not hacked at all; it was spoofed by a hacker. While we could block these hacker’s email addresses, it would not prevent their company from receiving additional such scam emails in the future as hackers can easily set up another email address that appears to be from the CEO. In fact, the hacker sending the second phishing email had registered the misspelled domain earlier that day. Since this email domain was set up legitimately, spam filters wouldn’t stop it. The spam filter catches a lot of spam, but this type of email also gets through because there are no “phishy” links in them and they are not sent by mass email. These are targeted attacks, not bulk emails.
The best way to handle a BEC email scam is to both train staff to recognize it and to put into place company procedures to minimize the risks. These might include:
- calling the CEO to confirm before placing the wire transfer, and
- responding to the CEO by forwarding the email – instead of replying to it – to ensure that the email is sent to the correct email address.
Big Idea Technology provides information to inform our clients about these types of scams and partners with KnowBe4 to train our clients’ staff to recognize phishing emails. Make sure your staff recognizes phishing scams and doesn’t wire money to hackers! Train your staff so they don’t fall for CEO Fraud and BEC scams!