Criminals Use CEO Emails to Target Companies

Posted on by RSAC Contributor

That email from the CEO in your inbox may not be real. Stop and pick up the phone to make sure it's legitimate before you take action.Attack the CEO

The FBI said cybercriminals stole nearly $750 million from more than 7,000 companies in the United States between October 2013 and August 2015. When you include international victims, total losses from business-to-email attacks exceed $1.2 billion. Attackers, members of organized crime groups operating out of Africa, Eastern Europe, and the Middle East, primarily target businesses that work with foreign suppliers and who regularly conduct wire transfer payments from the U.S. to the foreign supplier. The wire transfers end up in the criminals' accounts, mostly with China-based banks.

“The scam has been reported in all 50 states and in 79 countries,” the FBI’s alert notes. “Fraudulent transfers have been reported going to 72 countries; however, the majority of the transfers are going to Asian banks located within China and Hong Kong.”

Also known as CEO fraud, this usually takes the form of thieves either  phishing an executive to gain control of the email inbox, or spoofing the emails. These scams rarely get trapped by spam filters because they tend to be part of spear phishing attacks and not mass mailed to thousands and thousands of recipients. More importantly, the attacker is going to the trouble of understanding the various relationships within the targeted company. The following is a summary of one such attack, when attackers targeted security company Easy Solutions with emails supposedly sent by the CEO, Ricard Villadiego. 

Looking at the email from the CEO you know he didn't send was a "weird experience," said Dan Ingevaldson, CTO of Easy Solutions.

Efrain Rodriguez, the company's CFO, received the email purporting to be from Villadiego. The short message simply instructed Rodriguez initiate a wire transfer of $17,400 to a specific account. Suspicious, Rodriguez called Villadiego to verify whether the request was legitimate. When Rodriguez didn't send the funds, he received follow-up messages stressing the urgency of the situation. "These attacks exist because it is still possible to easily and cheaply forge emails from any address on the Internet," Villadiego wrote in his write-up.

The attack  took the company by surprise because you don't really think of a fraud company as a target, said Daniel Ingevaldson, the company's CTO. If attackers were going to spoof the CEO, larger and better-known brands would be the more likely target. 

Fortunately, Easy Solutions had already deployed DMARC technology to identify and block spoofed messages. The attacks occured when the company (as an experiment) switched the settings from "reject" to "monitor" to see the types of messages being sent. During the course of the investigation, Easy Solutions found several other small companies were targeted. This was a good reminder to those organizations to speed up the timetable to deploy DMARC, Ingevaldson said. 

DMARC gives the IT team visibility into email attacks and spear-phishing both targeting your employees and your clients. Just deploying it is not enough, though. Confirm the email enterprise email provider honors DMARC policies on inbound email to prevent spear-phishing attacks.

There is also a people/process component, as well. Teach your employees and senior leadership about the risks associated with these kinds of attacks. Also implement a double-approval system for important transactions, with the approval happening, preferable over a different method of communication. With this kind of system in place, attackers would need to spoof two individuals and to subvert the secondary channel.

RSAC Contributor

, RSA Conference

Business Perspectives


More Related To This

Share With Your Community