How a Security CEO Fell Prey to Scammers (Almost)

Posted on by David Needle

Having a security breach is one of every company’s worst nightmares. But the bad guys don’t just try to compromise your computer systems, they also use social manipulation and phony email addresses and domains to try and steal information and funds from right out from under your nose.

That’s exactly what happened two years ago to Tom Kemp, CEO of cloud security firm Delinea, previously Centrify. And the problem has only gotten worse, Kemp told attendees in a session at the RSA conference on Thursday.

Tom KempThe FBI says this growing threat of “CEO Fraud” includes “Business Email Compromise (BCE), a scam carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.”

At Centrify, Kemp was able to avoid taking a hit through a combination of good policy and luck. He just happened to be walking by the office of his CFO, who called out “Hey, Jennifer (Centrify’s controller) is working on that wire transfer you asked for.” Kemp shared a screen shot of the email asking for a very specific amount of $357,493.41 to be wired to what appeared to be a Citibank account.

In fact there was no legitimate wire transfer request. The email came from a (note the additional “l” in the name). But even before they spotted the phony domain name, the wire transfer was taking time because Centrify has a separation-of-duties policy. Flora in accounting can initiate a payment, but Jennifer the controller has to approve it.

Ironically, as Kemp was on the phone with the FBI, the phony Kemp sent another email pushing to see how the wire transfer was coming. The FBI said not to reply, but Kemp expressed disappointment there was no follow up by the FBI as to what happened—did they catch the scammers? After his talk, one attendee told him typically the FBI doesn’t follow up unless the fraud was successful and the company was robbed.

Tools of the Trade

In deconstructing the scam, Centrify was able to determine the fraudsters set up the Centrilfy domain using Vistaprint, the popular service for creating low cost business cards, flyers and other materials. Vistaprint also offers domain services including a free 30-day trial consumers can set up with no payments required.

The legal team at Vistaprint, trying to resolve the situation, told Centrify that over 60 lookalike domains had been created that morning using 30 account domains.

Kemp suggests all companies adopt the separation of duties policy and make sure standard procedures take security into account—making sure, for example, that any large wire transfer requests get verbal authorization and that the request comes from a legitimate business address.

Meanwhile the scammers continue to attack. Kemp made note of the admission by Snapchat just last week that one of its employees fell for a phishing scam that led to the release of employee payroll information.

The FBI says CEO (or C-level) fraud has increased 270 percent in the past two years with over 12,000 reported incidents totaling over $2 billion dollars. Among the reasons these scams succeed are the appearance of authority—staffers are used to carrying out the CEOs instructions quickly.

Another technique is to pose as the CEO and describe the need to the CFO or someone else in accounting as part of a “secret project” that’s not to be discussed with anyone else at the company.

These phony emails may also include language expressing an urgency to get the wire transfer done and words of flattery to the recipient “I’m counting on you to get this done quickly.”

As a final tip, Kemp said it’s a good idea to advise secretaries and administrative staff not to reveal the CEO’s whereabouts when someone calls. He said scammers will call to find out if the CEO is travelling or on vacation. If there’s no reason to share that information it shouldn’t be given out.


fraud security awareness

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs