Phishing, Breach

An Email Thread From Actual CEO Fraud Attack

Share
Author: Dan Kaplan, online content manager, Trustwave
Author: Dan Kaplan, online content manager, Trustwave

For as much as we're drowning in emails -- to the point where it has become socially acceptable to ignore them, at least for a little bit -- let's admit one thing: We all perk up when a message from the boss (or another company leader) slips into our inbox.

Suddenly all the email noise reduces to a whisper, and all your focus shifts to this single message. Depending on your current level of paranoia, your mood may quickly turn to dread. You breathe a sigh of relief when you realize you're done nothing wrong and aren't being asked to work over the weekend. Instead, your boss just need a quick favor, a simple funds transfer.

What do you do? The default, of course, is to comply with the boss' wishes. Love them or hate them, satisfying their work demands is generally a safe way to stay on their good side. But what if you weren't so quick to respond - or didn't at all?

The chances that such an email has been completely fabricated by an external adversary fixed on stealing from your company is rapidly growing. Business email compromise scams, which typically combine spear phishing, email spoofing, social engineering (and occasionally malware), have steadily grown into a prolific problem for businesses of all sizes, resulting in massive losses to the tune of several billion dollars.

These messages typically avoid the spam filter because they are not part of a mass-mailing campaign and are instead more targeted in nature, usually devoid of the typical junk mail traits. A recent survey by the Association of Financial Professionals, which polled treasury and finance professionals, found that 77 percent of organizations experienced attempted or actual BEC scams - commonly called CEO fraud - in 2017.

The recently released 2018 Trustwave Global Security Report published an email thread that our incident investigators received showing a real CEO fraud operation in action. As you can see, the attackers smartly make their ruse sound convincing, without delving into any conversation that would out them as an impostor.

One other caveat worth noting about these machinations: You may be used to spam messages containing easy-to-identify grammatical and spelling errors. Not so much for CEO fraud, which is a targeted, one-on-one operation conducted individually by con artists targeting specific companies (and specific individuals at those companies) and all but requires the perpetrator to be fluent in the victim's language.

The conversation reproduced here actually happened in November 2017 between a CEO scammer and the victim he successfully ripped off, although the names and other identifying details have been changed.

The Email Conversation

From: John Smith
Sent: Monday, 13 November 2017 11:27 AM
To: Susan Brown
Subject: Urgent Attention

Are you available to handle an international payment this morning?
Have one pending, let me know when to send bank details.

Regards
John Smith
Sent from my iPhone


On Mon, Nov 13, 2017 at 1:33 AM,
Susan Brown wrote:

Hi John,
Sorry was caught up with a project - I'm here now - can I still help?

Susan Brown
Director


On Mon, Nov 13, 2017 at 4:29 PM,
John Smith wrote:

Can you still handle this right now? was very busy earlier.

Regards
John Smith
Sent from my iPhone


On Mon, Nov 13, 2017 at 6:01 AM,
Susan Brown wrote:

Hi John,
Just back - can do it for you now if that will help.

Susan Brown
Director


On Mon, Nov 13, 2017 at 5:48 PM,
John Smith wrote:

Yes it seem to be a very busy day. The amount is for $30,120 i am guessing it is very late already for the transfer or can you still get it done today?

Regards
John Smith
Sent from my iPhone


On Mon, Nov 13, 2017 at 6:50 AM,
Susan Brown wrote:

Hi John,
Is it set up ready to go in PC banking? I can't see it there to authorise under international?
Cheers,

Susan Brown


On Mon, Nov 13, 2017 at 5:56 PM,
John Smith wrote:

Oh ok, please find a way around it, my day is really tied. Can i send you the bank details today still? Can the payment still go out?

Regards
John Smith


On Mon, Nov 13, 2017 at 6:58 AM,
Susan Brown wrote:

Hi John,
I can do my best but will do it from home tonight as have to leave theoffice now. Think they still go to 8 pm or so.
Send me all the details and I'll try but usually Mary sets them up and we just authorise them. Will see what I can do - it's no trouble as I know I can ask Mary from her home if necessary.
Leave it with us.

Regards
Susan Brown
Director


On Mon, Nov 13, 2017 at 7:02 AM,
John Smith wrote:

Ok then. Thanks
NAME: Acme
SORT CODE: 12341234
ACCOUNT: 123412341234IBAN: ABCD123412341234123412341234
SWIFT ABC:ABCD1234BANK: SOME BANK
ADDRESS: 3 Somewhere Place
Send me payment slip once it is completed.

Regards
John Smith
Sent from my iPhone


On Mon, Nov 13, 2017 at 7:14 AM,
John Smith wrote:

Please use this IBAN number for the account.
IBAN: ABCD12341234123412341234123412341
Ensure to send me the slip once its done. Thanks
N.B: confirm receipt of the new IBAN number.

Regards
John Smith

The Bad News

What you don't see is what happened next: Susan sent the funds. What could have she done to avoid that result?

The most practical way to keeping your company off the CEO fraud victim list is to educate those individuals like Susan (who are usually, but not always, on the finance team) to be on the lookout for these scams, how to identify them and what to do if you believe someone is trying to deceive you.

Companies can implement additional verification requirements for things like wire transfers. You can also consider adopting an additional step of authentication for access to email accounts. Note, however, that this will only help in the cases in which the impersonators compromised an executive's email account, not when they spoofed the sender.

For a more technical hints and best practices, we urge you to check out these two fantastic resources:


Dan Kaplan is manager of online content at Trustwave. Read more Trustwave blogs here.

Related Terms

Attack Vector