Business executives have long served as optimal marks for digital con artists. For years, spear phishers have zeroed in on corporate leaders with impressive success - their well-crafted ruses deceiving company brass into divulging confidential credentials and inviting in insidious malware.
When compared to attacks against rank-and-file employees, attacks that target big bosses like the CEO can lead to far bigger payoffs for cybercriminals - including greater privileges and access to more sensitive and highly regarded corporate data.
Over the last 18 months, another social engineering trend has emerged whose success also relies on high-ranking executives - only this time, they are unwittingly doing the dirty work on behalf of the thieves. It's a fast-growing con known as CEO fraud, and last week our Trustwave SpiderLabs researchers distilled the threat in a two-part series that is well worth reading.
CEO fraud is a type of Business Email Compromise (BEC) scam that has witnessed such explosive growth over the past 18 months, amid billions of dollars of losses, that it prompted an FBI warning. The hoax typically involves an authentic-looking email that appears to come from the CEO, or some other powerful executive in the organization, and is sent to an employee requesting urgent assistance to conduct a wire transfer to settle a pending invoice. These attacks have also been used to trick recipients into clicking on malicious attachments with the goal to infect the victim network with malware.
What makes these hustles so worrying is that the senders go to great lengths to ensure their ruse sounds legitimate and won't raise any suspicion. This includes conducing reconnaissance on the company (via the corporate website, social networking accounts, etc.) in order to tailor a more believable message and impersonate the sender by either spoofing their email address or compromising their email account. As a result, CEO fraud is quite distinct from mass spam, which often contains obvious junk mail elements and for which companies tend to have better controls to guard against.
Still, technology is important in the fight. Weeding out these types of scams at the email gateway is ideal. Secure email gateways can assist by offering anti-spoofing functionality or capabilities that will flag suspicious domain names. Specifically, Trustwave Secure Email Gateway customers can download a special "BEC Fraud" package which makes it easy. The package also includes a special category script that identifies many traits associated with these CEO fraud scams. The package, including documentation, can be obtained here (requires customer login).
In addition, companies should consider web security gateways and endpoint protection in case the scam is motivated by malware delivery rather than financial fraud. But technology alone won't solve the problem of CEO fraud. You must also instill a culture of skepticism around requests from company leadership, as counterintuitive as that may sound given these are the very people from whom we are conditioned to follow orders.
Pay heed to these helpful suggestions:
1) Verify, Verify, Verify
You must have policies and procedures in place for handling emails that request wire transfers and other sensitive information. This might be something as simple as requiring that email recipients pick up the phone to verify the request directly with the email sender, double-check with the chief financial officer and/or notify the IT department. If you're unsure about the payment details referenced in the email, contact the vendor to whom you allegedly owe the balance. You also should consider requiring dual-approval for all wire transfers with the idea that if two people are required to initiate and authorize a transaction, it is more likely that someone will catch on to a scam. Finally, it's essential that the CEO and other top executives are on board with this plan (and won't chastise an employee for playing it safe).
2) Make Employee Education a Priority
Aside from just generally making employees acquainted with CEO fraud, you should teach workers how to spot offending emails. This blog post offers several examples of what CEO fraud emails tend to look like - notice that even though the messages are well crafted, their language, tone and style will likely appear off from how your CEO normally writes. Follow some of these tips to develop a well-liked security awareness program.
3) Beware of Other Tricks
Even if you've caught on to the scam, the miscreants will likely keep the jig going to try to assuage your apprehension. So expect the social engineering to continue even if you claim to have them figured out. Keep in mind, too, that the attackers may shift to the phone to lend more credibility - or skip email entirely. Phone calls may be even more convincing and effective for the criminals because they present an immediate high-stress scenario where the caller puts the target on the spot.
4) Consider Two-Factor Authentication
You should consider adopting an additional step of authentication for access to email accounts. Note, however, that this will only help in the cases in which the impersonators compromised an executive's email account, not when they spoofed the sender.
When in doubt, your employees must ask themselves: Is this an email they were expecting? If the answer is "no," they should trust their gut and follow up on their instinct.
Be safe out there.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.