Would you believe them, if you received an email or phone call from someone making that claim? What if they were really, really convincing? Probably not, but what if they appeared to be your boss, or your boss’s boss, and asked you to do something that was, basically, your job?
Unbelievably, within hours of agreeing on the topic for this blog post – a Social Engineering attack dubbed “CEO Fraud”, “Fake President”, or “business email compromise” (BEC) to those with even less imagination – I received an email from our very own CEO, Tim. It began:
“Well, that was weird.”
A classic example
Of course the only thing that was weird was the timing. Attached was a short email exchange between Tim and our Operations Manager, Sarah, asking her to arrange a payment of £12,250 from 2-sec to a “John Stead Inc” with Halifax bank. Each email came from Tim’s company email address, and was signed off
“Tim Holman
Sent from my iPhone”
Yet, although he does indeed use an iPhone, Tim did not send any of them. It is only with the benefit of the headers on Sarah’s replies that we can see who she was really communicating with:
“To: Tim Holman <veom5@aol.com>”
This sort of detail, by the way, is not always visible, or at least not obvious, in the simplified email client on your smartphone.
And in case your curiosity needs satisfying, as mine did, Jon Stead is a 32 year old striker for the League Two football club Notts County. He has never, to my (or rather Google’s) knowledge, become Incorporated.
Fortunately for us, Sarah immediately smelled a rat even without these insights, and dug a little to see how much “Tim” really knew, before reporting the attempted attack to The Real Tim (a nickname I am hoping will stick) within hours of the first communication.
Excellent work Sarah!
But most people do not have the advantages that Suspicious Sarah had in this situation – many have never met their company’s CEO face to face, or even ever communicated with them directly at all. Nor do most people work for a Cyber Security Consultancy, which no doubt carries the expectation of some level of preparedness!
In fact there has been a sharp increase in the number of these kinds of attacks reported recently, with a clear pattern emerging to explain their success:
Knowledge
The attackers usually appear to have in-depth knowledge of their target business’s operating procedures and working practices, their emails often refer to details that an employee would not expect to appear in a “dumb” phishing scam. Attacks often occur when the impersonated CEO/President is known to be away on business, and they may take advantage of existing trustful relationships between an employee and the CEO/President
Secrecy
High value business transactions, such as acquisitions, are often very “hush-hush”. The employee is told that this request is to be treated with the utmost confidentiality, not only should they not discuss the details with another soul, but only the specified “secure” lines of communication should be used to ensure the avoidance of leaks.
Pressure
A phone call may be received warning the employee to expect an imminent and extremely urgent email from the CEO/President, and that this must be given their full and immediate attention. The email will then contain highly emphasised instructions, and perhaps further warn the employee to expect a phone call from the external agency with account details.
After a recent attack on French business Etna Industrie, company President Carole Gratzmuller spoke to the BBC saying,
“Everything happened between 9 and 10 o'clock. The accountant probably got about 10 emails in that time and three or four different phone calls.
The fraudsters pressured her into acting quickly, without thinking – a standard feature of this type of phishing fraud. They didn't give her a moment to sit back and think that this was unusual,”
In this case the fraudsters were able to convince a company accountant to authorise transfers totalling €500,000 – a figure that would apparently have crippled the company and forced them to fold, had the majority not been held up by the banks long enough for them to be reversed.[1]
Others have not been so lucky – despite the intelligence and precision involved in these attacks, they are in fact so low-tech that it appears they are not even covered by some insurers’ cyber insurance policies.
A Houston, US company, Ameriforge Group Inc, was subject to a very similar attack. On 21 May 2014 the accounting director was targeted and convinced to transfer $480,000 for “due diligence fees associated with the China acquisition”, a very sensitive matter that must not be discussed outside of the email “in order for us not to infringe SEC regulations”. Shockingly he was contacted again 6 days later on 27 May 2014 and asked to transfer a further $18 million – however at this point he became suspicious and reported the activity, but he was too late for the company to recover the first sum. The loss of $480,000 was not covered by Ameriforge Group Inc’s insurers, because the scam “did not involve the forgery of a financial instrument as required by the policy”, although this remains in dispute.[2]
Who are you really?
You would have strong words to say to your bank if they allowed a cheque to be processed because someone had written “Tim Holman, Sent from my iPhone” on the signature line, so why should this be any different? I would certainly expect businesses to have a clear authorisation and verification procedure and for any employee who has access to transfer sums of money out of the company accounts to be fully aware of it, with no exceptions. The answer here, I’m afraid, is obvious – secure solutions already exist, so use them.
[1] – “The ‘bogus boss' email scam costing firms millions”, http://www.bbc.co.uk/news/business-35250678, BBC News, 8 January 2016
[2] – “Firm Sues Cyber Insurer Over $480K Loss”, http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/#more-33617, Krebs on Security, Jan 16