I have been seeing an increasing number of articles on sites like Krebs on Security on a...
CEO Fraud Continues to Rear Its Ugly Head
As CEO of Centrify, I have been writing about “CEO Fraud” — whereby scammers send emails that impersonate senior executives to obtain money or data — for well over three years now.
I have blogged about it based on first-hand encounters, presented on it and the broader topic of “business email compromise” (BEC) at the 2016 RSA Conference, and was even interviewed on a nightly news show about it (scroll to 18:30 to see yours truly wax poetic). But I am not the “Vox clamantis in deserto” (“voice crying out in the wilderness” for those that know Latin, or you Dartmouth alumni) on this topic, as many others have been banging the drum on this problem.
Yet after all these years fraught with this problem and the significant amount of evangelism by security vendors and people like me who experience these attacks first hand, the reality is that the problem is getting much worse.
Back in 2016, the FBI said this type of attack resulted in over $3 billion in reported worldwide losses from 2013 to mid-2016. As of mid-2018, that number increased to over $12 billion in losses from mid-2013 to the present, meaning $9 billion in worldwide losses over the last 2 years in business email compromise.
Shifting Fraud Focus
What’s also interesting is that the focus has both shifted in terms of what the scammers are going after and that they have also expanded their attacks into vertical industries.
Originally the focus was more on fooling someone in a generic business’s accounting department or tricking a CEO’s direct report into initiating a wire transfer. About 2 years ago the scammers started also going after duping people to give out Personal Identifiable Information (PII), such as W-2s that have employee names, addresses, wages, and Social Security Numbers. A good example of “W-2 phishing” is a 2017 incident whereby all employees of tech company Coupa had their W-2s compromised by a fraudster tricking the Coupa HR department.
Now we see the thieves moving into verticals such as the real estate market, going after all participants in real estate transactions such as title companies, real estate agents, buyers, sellers, and law firms.
“Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals. The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.”
At Delinea, I personally have seen the uptick in attempted CEO fraud attempts.
Back in 2015 and 2016, it would be a monthly experience where I would hear of someone at Delinea getting an email from “Tom Kemp” the CEO, asking to help initiate a wire transfer. Now that cadence has increased to a weekly or twice weekly experience.
At the bottom of this blog, I have included some recent examples of the typical type of messages that express a sense of urgency to get people to cut corners to please the CEO. At the same time, the scammers are also trying to fool people that I am only available via email and the target can’t confirm in person or via phone the request with me directly.
I have also seen that scammers are being more targeted than before in terms of the people they are contacting. Clearly, the bad guys have historically gone after people in a business that have the right type of titles, such as “HR Manager” or “Payroll clerk” or “Finance Director,” that they can easily get via searching LinkedIn.
But now I am seeing that they know a bit more about our organization than doing some simple LinkedIn or Google searches for titles. This may have to do with some recent breaches of B2B companies that aggregate a lot of information about employees at companies.
Specifically, I subscribe to Have I Been Pwned, a website maintained by Troy Hunt that tells a consumer if your email or user account has been found in a recent data breach (note a commercial offering for enterprise usage is available via companies like Vericlouds). In the last few months, I have received two interesting notifications of having my business email caught up in these breaches.
The first was the “Apollo Breach,” where Troy noted the following:
“In July 2018, the sales engagement startup Apollo left a database containing billions of data points publicly exposed without a password. The data was discovered by security researcher Vinny Troia who subsequently sent a subset of the data containing 126 million unique email addresses to Have I Been Pwned. The data left exposed by Apollo was used in their "revenue acceleration platform" and included personal information such as names and email addresses as well as professional information including places of employment, the roles people hold and where they're located.”
The other one my work email account was part of was the Adapt breach which, “exposed over 9.3M unique records of individuals and employer information including their names, employers, job titles, contact information and data relating to the employer including organization description, size, and revenue.”
The point here is that by doing a “Cambridge Analytics-meets-Facebook” type of data merge of the Adapt and Apollo breach data with business contact information from LinkedIn, the bad guys can be even more targeted in their spear-phishing. And the scary thing is that they may know your company’s org chart better than you do.
What to do
So what to do? The recommendations from my session at the 2016 RSA Conference (see slides 28-34) still hold true, e.g.
- Educate people in your organization on this type of fraud (e.g. share the link to this blog!)
- Always pick up the phone and call to confirm an “out-of-band” request, even if you think the CEO may be mad.
- Implement multi-factor authentication on critical business applications
A newer technology that I have seen over the last few years from anti-spam and email security vendors is the ability for these security solutions to issue a warning when they see an impersonating email coming in.
The email security system Delinea uses internally produces the message “Warning: The Display Name used in this email matches an internal employee's name” in the subject line, which is very helpful to flag these types of emails. I would highly recommend turning on this switch.
Below are some examples of recent “CEO Fraud” attempts we have received at Delinea. I put in XXXXXX to block out the internal targets’ names and email addresses. By publishing these examples I am hoping that others who get these types of emails can search the body of the emails they received and get confirmation that these emails are the beginning hook of a scam.
From: Tom Kemp <firstname.lastname@example.org>
Sent: Tuesday, November 27, 2018, 8:17 AM
Subject: Quick Task
XXXXXX, Do you have a moment right now? Need you to run a task for me real quick. I am going into a meeting now, so just reply my email.
Sent from my iPhone
On 11/9/18, 12:53 PM, "Tom Kemp" <email@example.com> wrote:
Hi XXXXXX – Got a moment? There's a task that I need you to handle ASAP...
From: Tom Kemp <firstname.lastname@example.org>
Date: Monday, November 5, 2018 at 11:04 AM
Subject: Hello XXXXXX
How are you doing? I need you to make a purchase, Reply when you get this.
From: Tom Kemp <email@example.com>
Date: November 1, 2018 at 9:25:04 AM EDT
To: Undisclosed recipients:;
Hey are you available? write back
Sent via iPad, on Verizon Wireless 4G LTE
From: Tom Kemp <firstname.lastname@example.org>
Sent: Tuesday, October 16, 2018 7:41:24 PM
XXXXXX – are you available? I need you to complete a task ASAP.
From: Tom Kemp <email@example.com>
Reply-To: Tom Kemp <firstname.lastname@example.org>
Date: Friday, October 12, 2018 at 11:22 AM
Are you available? I need you to personally run a task for me ASAP as I am caught up in meetings. Just reply my Emails and let me know if you can get this done right now as I cannot make or receive call right now due to the meeting.
From: Tom Kemp <email@example.com>
Sent: Friday, October 5, 2018 1:18 PM
Subject: URGENT REQUEST
I need you to help run a task. Let me know if you're unoccupied.
P.S : I'm in a meeting and can't take calls, reply my email.
Sent from my iPad
From: Tom Kemp <firstname.lastname@example.org>
Date: Friday, September 28, 2018 at 10:11 AM
Please confirm if you are available,I have an urgent request for you.
Sent from my iPhone
From: Tom Kemp <email@example.com>
Sent: Monday, August 13, 2018 12:27 PM
I need my pay stub for May and June, kindly attach them as a reply to this email.
From: Tom Kemp <firstname.lastname@example.org>
Date: Monday, August 13, 2018 at 12:19 PM
In a meeting at the moment, I need you to do something for me, are you free at the moment?
I am unable to take calls, so am unable to talk on phone, email back.
Sent From iPad