Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Here is an Email Thread of an Actual CEO Fraud Attack

For as much as we're drowning in emails - to the point where it has become socially acceptable to ignore them, at least for a little bit - let's admit one thing: We all perk up when a message from the boss (or another company leader) slips into our inbox.

Suddenly all the email noise reduces to a whisper, and all your focus shifts to this single message. Depending on your current level of paranoia, your mood may quickly turn to dread. You breathe a sigh of relief when you realize you're done nothing wrong and aren't being asked to work over the weekend. Instead, your boss just need a quick favor, a simple funds transfer.

What do you do? The default, of course, is to comply with the boss' wishes. Love them or hate them, satisfying their work demands is generally a safe way to stay on their good side. But what if you weren't so quick to respond - or didn't at all?

The chances that such an email has been completely fabricated by an external adversary fixed on stealing from your company is rapidly growing. Business email compromise scams, which typically combine spear phishing, email spoofing, social engineering (and occasionally malware), have steadily grown into a prolific problem for businesses of all sizes, resulting in massive losses to the tune of several billion dollars.

These messages typically avoid the spam filter because they are not part of a mass-mailing campaign and are instead more targeted in nature, usually devoid of the typical junk mail traits. A recent survey by the Association of Financial Professionals, which polled treasury and finance professionals, found that 77 percent of organizations experienced attempted or actual BEC scams - commonly called CEO fraud - in 2017.

The recently released 2018 Trustwave Global Security Report published an email thread that our incident investigators received showing a real CEO fraud operation in action. As you can see, the attackers smartly make their ruse sound convincing, without delving into any conversation that would out them as an impostor.

One other caveat worth noting about these machinations: You may be used to spam messages containing easy-to-identify grammatical and spelling errors. Not so much for CEO fraud, which is a targeted, one-on-one operation conducted individually by con artists targeting specific companies (and specific individuals at those companies) and all but requires the perpetrator to be fluent in the victim's language.

The conversation reproduced here actually happened in November 2017 between a CEO scammer and the victim he successfully ripped off, although the names and other identifying details have been changed.

From: John Smith
Sent: Monday, 13 November 2017 11:27 AM
To: Susan Brown
Subject: Urgent Attention

Are you available to handle an international payment this morning?
Have one pending, let me know when to send bank details.

John Smith
Sent from my iPhone

On Mon, Nov 13, 2017 at 1:33 AM,
Susan Brown wrote:

Hi John,
Sorry was caught up with a project - I'm here now - can I still help?

 Susan Brown

On Mon, Nov 13, 2017 at 4:29 PM,
 John Smith wrote:

Can you still handle this right now? was very busy earlier.

John Smith
Sent from my iPhone

On Mon, Nov 13, 2017 at 6:01 AM,
 Susan Brown wrote:

Hi John,
Just back - can do it for you now if that will help.

Susan Brown

On Mon, Nov 13, 2017 at 5:48 PM,
John Smith wrote:

Yes it seem to be a very busy day. The amount is for $30,120 i am guessing it is very late already for the transfer or can you still get it done today?

John Smith
Sent from my iPhone

On Mon, Nov 13, 2017 at 6:50 AM,
Susan Brown wrote:

Hi John,
Is it set up ready to go in PC banking? I can't see it there to authorize under international?

Susan Brown

On Mon, Nov 13, 2017 at 5:56 PM,
 John Smith wrote:

Oh ok, please find a way around it, my day is really tied. Can i send you the bank details today still? Can the payment still go out?

John Smith

On Mon, Nov 13, 2017 at 6:58 AM,
 Susan Brown wrote:

Hi John,
I can do my best but will do it from home tonight as have to leave the office now. Think they still go to 8 pm or so.
Send me all the details and I'll try but usually Mary sets them up and we just authorize them. Will see what I can do - it's no trouble as I know I can ask Mary from her home if necessary.
Leave it with us.

Susan Brown

On Mon, Nov 13, 2017 at 7:02 AM,
 John Smith wrote:

Ok then. Thanks
NAME: Acme
SORT CODE: 12341234
ACCOUNT: 123412341234IBAN: ABCD123412341234123412341234
ADDRESS: 3 Somewhere Place
Send me payment slip once it is completed.

John Smith
Sent from my iPhone

On Mon, Nov 13, 2017 at 7:14 AM,
 John Smith wrote:

Please use this IBAN number for the account.
IBAN: ABCD12341234123412341234123412341
Ensure to send me the slip once its done. Thanks
N.B: confirm receipt of the new IBAN number.

John Smith




What you don't see is what happened next: Susan sent the funds. What could have she done to avoid that result?

The most practical way to keeping your company off the CEO fraud victim list is to educate those individuals like Susan (who are usually, but not always, on the finance team) to be on the lookout for these scams, how to identify them and what to do if you believe someone is trying to deceive you.

Companies can implement additional verification requirements for things like wire transfers. You can also consider adopting an additional step of authentication for access to email accounts. Note, however, that this will only help in the cases in which the impersonators compromised an executive's email account, not when they spoofed the sender.

For a more technical hints and best practices, we urge you to check out these two fantastic resources:

  "Insider Tips to Defend Against CEO Fraud Attacks (Video)"

  "CEO Fraud Scams and How to Deal with Them at the Email Gateway"

Dan Kaplan is manager of online content at Trustwave.

Latest Trustwave Blogs

Unlock the Power of Your SIEM with Co-Managed SOC

Security information and event management (SIEM) systems play a pivotal role in cybersecurity: they offer a unified solution for gathering and assessing alerts from a plethora of security tools,...

Read More

Trustwave SpiderLabs: LockBit 3.0 Ransomware Most Common Malware Used to Attack the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Trustwave’s Observations on the Recent Cyberattack on Aliquippa Water Treatment Plant

The attack last week on the Municipal Water Authority in Aliquippa, Penn., that gave threat actors access to a portion of the facility’s pumping equipment has spurred the Cybersecurity &...

Read More