Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Here is an Email Thread of an Actual CEO Fraud Attack

For as much as we're drowning in emails - to the point where it has become socially acceptable to ignore them, at least for a little bit - let's admit one thing: We all perk up when a message from the boss (or another company leader) slips into our inbox.

Suddenly all the email noise reduces to a whisper, and all your focus shifts to this single message. Depending on your current level of paranoia, your mood may quickly turn to dread. You breathe a sigh of relief when you realize you're done nothing wrong and aren't being asked to work over the weekend. Instead, your boss just need a quick favor, a simple funds transfer.

What do you do? The default, of course, is to comply with the boss' wishes. Love them or hate them, satisfying their work demands is generally a safe way to stay on their good side. But what if you weren't so quick to respond - or didn't at all?

The chances that such an email has been completely fabricated by an external adversary fixed on stealing from your company is rapidly growing. Business email compromise scams, which typically combine spear phishing, email spoofing, social engineering (and occasionally malware), have steadily grown into a prolific problem for businesses of all sizes, resulting in massive losses to the tune of several billion dollars.

These messages typically avoid the spam filter because they are not part of a mass-mailing campaign and are instead more targeted in nature, usually devoid of the typical junk mail traits. A recent survey by the Association of Financial Professionals, which polled treasury and finance professionals, found that 77 percent of organizations experienced attempted or actual BEC scams - commonly called CEO fraud - in 2017.

The recently released 2018 Trustwave Global Security Report published an email thread that our incident investigators received showing a real CEO fraud operation in action. As you can see, the attackers smartly make their ruse sound convincing, without delving into any conversation that would out them as an impostor.

One other caveat worth noting about these machinations: You may be used to spam messages containing easy-to-identify grammatical and spelling errors. Not so much for CEO fraud, which is a targeted, one-on-one operation conducted individually by con artists targeting specific companies (and specific individuals at those companies) and all but requires the perpetrator to be fluent in the victim's language.

The conversation reproduced here actually happened in November 2017 between a CEO scammer and the victim he successfully ripped off, although the names and other identifying details have been changed.



From: John Smith
Sent: Monday, 13 November 2017 11:27 AM
To: Susan Brown
Subject: Urgent Attention

Are you available to handle an international payment this morning?
Have one pending, let me know when to send bank details.

Regards
John Smith
Sent from my iPhone


On Mon, Nov 13, 2017 at 1:33 AM,
Susan Brown wrote:

Hi John,
Sorry was caught up with a project - I'm here now - can I still help?

 Susan Brown
Director


On Mon, Nov 13, 2017 at 4:29 PM,
 John Smith wrote:

Can you still handle this right now? was very busy earlier.

 Regards
John Smith
Sent from my iPhone


On Mon, Nov 13, 2017 at 6:01 AM,
 Susan Brown wrote:

Hi John,
Just back - can do it for you now if that will help.

Susan Brown
Director


On Mon, Nov 13, 2017 at 5:48 PM,
John Smith wrote:

Yes it seem to be a very busy day. The amount is for $30,120 i am guessing it is very late already for the transfer or can you still get it done today?

Regards
John Smith
Sent from my iPhone


On Mon, Nov 13, 2017 at 6:50 AM,
Susan Brown wrote:

Hi John,
Is it set up ready to go in PC banking? I can't see it there to authorize under international?
Cheers,

Susan Brown


On Mon, Nov 13, 2017 at 5:56 PM,
 John Smith wrote:

Oh ok, please find a way around it, my day is really tied. Can i send you the bank details today still? Can the payment still go out?

Regards
John Smith


On Mon, Nov 13, 2017 at 6:58 AM,
 Susan Brown wrote:

Hi John,
I can do my best but will do it from home tonight as have to leave the office now. Think they still go to 8 pm or so.
Send me all the details and I'll try but usually Mary sets them up and we just authorize them. Will see what I can do - it's no trouble as I know I can ask Mary from her home if necessary.
Leave it with us.

Regards
Susan Brown
Director


On Mon, Nov 13, 2017 at 7:02 AM,
 John Smith wrote:

Ok then. Thanks
NAME: Acme
SORT CODE: 12341234
ACCOUNT: 123412341234IBAN: ABCD123412341234123412341234
SWIFT ABC:ABCD1234BANK: SOME BANK
ADDRESS: 3 Somewhere Place
Send me payment slip once it is completed.

Regards
John Smith
Sent from my iPhone


On Mon, Nov 13, 2017 at 7:14 AM,
 John Smith wrote:

Please use this IBAN number for the account.
IBAN: ABCD12341234123412341234123412341
Ensure to send me the slip once its done. Thanks
N.B: confirm receipt of the new IBAN number.

Regards
John Smith

 

**

 

What you don't see is what happened next: Susan sent the funds. What could have she done to avoid that result?

The most practical way to keeping your company off the CEO fraud victim list is to educate those individuals like Susan (who are usually, but not always, on the finance team) to be on the lookout for these scams, how to identify them and what to do if you believe someone is trying to deceive you.

Companies can implement additional verification requirements for things like wire transfers. You can also consider adopting an additional step of authentication for access to email accounts. Note, however, that this will only help in the cases in which the impersonators compromised an executive's email account, not when they spoofed the sender.

For a more technical hints and best practices, we urge you to check out these two fantastic resources:

  "Insider Tips to Defend Against CEO Fraud Attacks (Video)"

  "CEO Fraud Scams and How to Deal with Them at the Email Gateway"

Dan Kaplan is manager of online content at Trustwave.

Latest Trustwave Blogs

Why Offensive Security is a Necessity for a Dynamic Threat Landscape

Today's ever-shifting threat landscape demands a multi-pronged approach to cybersecurity. Organizations must go beyond mere compliance by employing a combination of offensive security tactics and...

Read More

Trustwave MailMarshal Unveils Major Upgrades to Combat New Email Security Threats

Trustwave MailMarshal will receive a massive upgrade on March 28 that will add four new levels of functionality, including an improved dashboard interface, the ability to detect and halt malicious QR...

Read More

Unveiling the Latest Ransomware Threats Targeting the Casino and Entertainment Industry

Anyone who has visited a casino knows these organizations go to a great deal of expense and physical effort to ensure their patrons do not cheat. Still, there is a large group of actors who are...

Read More