Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Here is an Email Thread of an Actual CEO Fraud Attack

For as much as we're drowning in emails - to the point where it has become socially acceptable to ignore them, at least for a little bit - let's admit one thing: We all perk up when a message from the boss (or another company leader) slips into our inbox.

Suddenly all the email noise reduces to a whisper, and all your focus shifts to this single message. Depending on your current level of paranoia, your mood may quickly turn to dread. You breathe a sigh of relief when you realize you're done nothing wrong and aren't being asked to work over the weekend. Instead, your boss just need a quick favor, a simple funds transfer.

What do you do? The default, of course, is to comply with the boss' wishes. Love them or hate them, satisfying their work demands is generally a safe way to stay on their good side. But what if you weren't so quick to respond - or didn't at all?

The chances that such an email has been completely fabricated by an external adversary fixed on stealing from your company is rapidly growing. Business email compromise scams, which typically combine spear phishing, email spoofing, social engineering (and occasionally malware), have steadily grown into a prolific problem for businesses of all sizes, resulting in massive losses to the tune of several billion dollars.

These messages typically avoid the spam filter because they are not part of a mass-mailing campaign and are instead more targeted in nature, usually devoid of the typical junk mail traits. A recent survey by the Association of Financial Professionals, which polled treasury and finance professionals, found that 77 percent of organizations experienced attempted or actual BEC scams - commonly called CEO fraud - in 2017.

The recently released 2018 Trustwave Global Security Report published an email thread that our incident investigators received showing a real CEO fraud operation in action. As you can see, the attackers smartly make their ruse sound convincing, without delving into any conversation that would out them as an impostor.

One other caveat worth noting about these machinations: You may be used to spam messages containing easy-to-identify grammatical and spelling errors. Not so much for CEO fraud, which is a targeted, one-on-one operation conducted individually by con artists targeting specific companies (and specific individuals at those companies) and all but requires the perpetrator to be fluent in the victim's language.

The conversation reproduced here actually happened in November 2017 between a CEO scammer and the victim he successfully ripped off, although the names and other identifying details have been changed.

From: John Smith
Sent: Monday, 13 November 2017 11:27 AM
To: Susan Brown
Subject: Urgent Attention

Are you available to handle an international payment this morning?
Have one pending, let me know when to send bank details.

John Smith
Sent from my iPhone

On Mon, Nov 13, 2017 at 1:33 AM,
Susan Brown wrote:

Hi John,
Sorry was caught up with a project - I'm here now - can I still help?

 Susan Brown

On Mon, Nov 13, 2017 at 4:29 PM,
 John Smith wrote:

Can you still handle this right now? was very busy earlier.

John Smith
Sent from my iPhone

On Mon, Nov 13, 2017 at 6:01 AM,
 Susan Brown wrote:

Hi John,
Just back - can do it for you now if that will help.

Susan Brown

On Mon, Nov 13, 2017 at 5:48 PM,
John Smith wrote:

Yes it seem to be a very busy day. The amount is for $30,120 i am guessing it is very late already for the transfer or can you still get it done today?

John Smith
Sent from my iPhone

On Mon, Nov 13, 2017 at 6:50 AM,
Susan Brown wrote:

Hi John,
Is it set up ready to go in PC banking? I can't see it there to authorize under international?

Susan Brown

On Mon, Nov 13, 2017 at 5:56 PM,
 John Smith wrote:

Oh ok, please find a way around it, my day is really tied. Can i send you the bank details today still? Can the payment still go out?

John Smith

On Mon, Nov 13, 2017 at 6:58 AM,
 Susan Brown wrote:

Hi John,
I can do my best but will do it from home tonight as have to leave the office now. Think they still go to 8 pm or so.
Send me all the details and I'll try but usually Mary sets them up and we just authorize them. Will see what I can do - it's no trouble as I know I can ask Mary from her home if necessary.
Leave it with us.

Susan Brown

On Mon, Nov 13, 2017 at 7:02 AM,
 John Smith wrote:

Ok then. Thanks
NAME: Acme
SORT CODE: 12341234
ACCOUNT: 123412341234IBAN: ABCD123412341234123412341234
ADDRESS: 3 Somewhere Place
Send me payment slip once it is completed.

John Smith
Sent from my iPhone

On Mon, Nov 13, 2017 at 7:14 AM,
 John Smith wrote:

Please use this IBAN number for the account.
IBAN: ABCD12341234123412341234123412341
Ensure to send me the slip once its done. Thanks
N.B: confirm receipt of the new IBAN number.

John Smith




What you don't see is what happened next: Susan sent the funds. What could have she done to avoid that result?

The most practical way to keeping your company off the CEO fraud victim list is to educate those individuals like Susan (who are usually, but not always, on the finance team) to be on the lookout for these scams, how to identify them and what to do if you believe someone is trying to deceive you.

Companies can implement additional verification requirements for things like wire transfers. You can also consider adopting an additional step of authentication for access to email accounts. Note, however, that this will only help in the cases in which the impersonators compromised an executive's email account, not when they spoofed the sender.

For a more technical hints and best practices, we urge you to check out these two fantastic resources:

  "Insider Tips to Defend Against CEO Fraud Attacks (Video)"

  "CEO Fraud Scams and How to Deal with Them at the Email Gateway"

Dan Kaplan is manager of online content at Trustwave.

Latest Trustwave Blogs

Comparably Honors Trustwave with Leadership and Career Growth Awards

Comparably, the leading workplace culture and compensation monitoring employee review platform has recognized Trustwave with two major awards: 2024 Best Companies for Career Growth and 2024 Best...

Read More

Why Removing Phishing Emails from Inboxes is Crucial for Healthcare Security

The adage "data is the new oil" doesn't resonate with everyone. Personally, having grown up around cars thanks to my dad, a master mechanic, I see oil as messy and cumbersome. Data, in my view, is...

Read More

How Deepfakes May Impact Upcoming Elections Worldwide

The common fear regarding election interference is that a threat actor will gain access to either ballot machines or the networks that tally votes. However, there is a much easier method a person...

Read More