I have been seeing an increasing number of articles on sites like Krebs on Security on a growing scam called “CEO fraud,” whereby crooks are using social engineering to get executives to wire funds to the crooks. One recent example was tech company Ubiquiti Networks, which was swindled out of $47 million. Another example is an Atlanta company that was scammed out $1.8 million. Also known as the “business email compromise” (BEC) scam, the FBI reports that over 7,000 victims have lost $750 million in the last 2 years and this form of swindling is growing over 270% since the first of this year.
CEO Fraud: A First Hand Encounter
As CEO of Centrify, I find it very interesting to read about this crime, as my company and I now regularly experience various forms of sophisticated attempts to get us to transfer money to crooks. Hopefully, by using myself and this blog post as a case study for what the bad guys are doing, I can help others not fall victim to this crime.
But first, let me quote Brian Krebs to summarize what this scam is all about:
“CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name…
Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans. They do this by scraping employee email addresses and other information from the target’s Web site to help make the missives more convincing...
In many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.”
Let me break down how this scam works. A controller or finance type is told via email by the CFO or CEO to wire money to such and such account for what appears to be valid business reasons. Being good employees and not wanting to disregard the CEO or CFO, they follow directions to do so -- all the while thinking that the CEO is asking them to do it, and not realizing that they are sending money to crooks.
My firsthand account as a target of this scam
The first attempt was on Feb. 12, 2014, well before this scam has been widely publicized. Our VP of Finance got the following email from Tim (our CFO), which was a forward of a request from me, the CEO:
The attachment was a PDF of wire instructions for a company called “Indeva Corporation” that actually had a Citi Bank account in the US as shown below (most other wire scams I read about were overseas wires to China).
She replied back to “Tim” saying she needed to work with our accounting manager to make this happen, and “Tim” replied with the following:
Luckily Centrify had (and still has) a nice division of labor and a set of policies and approvals for wire transfers (which I won’t bore you with). Also, it happened that at this time, the VP of Finance was in an office next to the real Tim. So while waiting to hear back from the accounting manager, she happened to bump into Tim in the hallway and mentioned that she vectored my request to the accounting manager but she still needed proper documentation for the wire. Tim replied “what?” and asked to see the email. Meanwhile, I finally stroll into work and Tim sees me walking by his office and asks me about me requesting a wire transfer that morning, and I say “huh?” confirming to us all that a scam was on.
So after squinting our eyes a few times, we immediately deduced that the email was sent from a look-alike domain called “centrilfy.com” which looks a lot like “centrify.com.” The crooks had also made a mistake in guessing at our email convention for the first name. last name. Take a look at the screenshots above -- you have to stare really hard to see the differences in domain names, and when the VP of Finance replied to the email, a real person did reply.
The scary thing was that when we finally got through to a real human at Vistaprint (where the domain was registered for free for 30 days), they admitted to us that a bunch of other sound-alike domains had been created that morning to target at least 50+ other companies. So it is interesting to note that the crooks not only spent the time to research (via our website and probably Linkedin) who’s who at our company in terms of CEO, CFO and the person in our G&A department who likely processes wire transfers, but then set up a look-alike domain name and email accounts of our CFO, etc. on that domain. After all of this setup, they sent out emails from these accounts (and also did all this for at least 50+ other companies in the same timeframe). It is scary to think that if one of the 50 companies did not follow the proper process regarding documentation and approval for wire transfers, the crooks could make an easy $350k.
So we quickly decided to have Tim our CFO call the FBI while another person called Vistaprint to kill the domains. Ironically, during the same time while the real Tim was on hold with the FBI, the “fake Tim” sent emails to our VP of Finance such as this:
So it was somewhat amusing to have an attempted crime playing out while we were on hold with the FBI trying to report that crime.
That was the first of many attempts to scam us.
Other examples of scamming attempts at Centrify
Feb 4, 2015:
An email from CEO to CFO asking for a wire transfer. Note the domain was “cenrtify.com,” the “r” and “t” of "Centrify" were flipped around.
June 5, 2015:
An email from the CFO to me, the CEO. In this case, no fake Centrify lookalike domain was used, but if you reply to this email it went to an email address on a Czech domain called emkei.cz which was registered by forpsi.com.
August 17, 2015:
An email from CEO to CFO. If you were to reply, it would go to a charlyman2112 Gmail account.
August 20, 2015:
Another email from CEO to CFO. The reply would go to ceo_emails at email.com
September 11, 2015:
Another one from CEO to CFO. This is from a jassmith03 Gmail account.
That same day, another one. This time from the president at CEO email.ml (they are even creating domain names with their intent!)
September 16, 2015:
This time from a domain created called “centrfiy.” Very clever to transpose the "f" and "i" of "Centrify."
September 29, 2015:
The latest attempt on our company. Sent by a bizonlyy Gmail account.
We are now getting one of these scam emails per week. But there are some steps you can take to protect yourself from falling victim to one of these scams.
How to avoid being burned by this scam:
- Immediately walk over to your CFO and make sure that proper documentation and approvals are required for all wire transfers.
- Make sure that any wire transfer is associated and maps with an actual purchase inside the accounting system (again, proper documentation).
- Add Multi-Factor Authentication to all key apps (including financial systems), so users can confirm they really are who they claim to be (e.g. when initiating a wire transfer). Also, layer on other identity controls such as privileged session monitoring for sensitive systems ― this is in case the crooks have compromised the credentials of key employees in Finance.
- Have your marketing department or IT group start buying up domain names that are variations of your company name. For example, if you have a lower case “I” in your name, buy the domain where a lower case “L” is swapped for the “I”, or if you have an “E” in your domain name buy the domain that has a “3” for an “E” etc.
Good luck and hopefully you don’t get scammed.