CEO Email Fraud: How to Combat a Whale of a Problem
To: Smith, Christopher (CFO@example.com)
From: Johnson, Thomas (email@example.com)
Date: April 29, 2015, 11:36 a.m.
Subject: Time-sensitive transfer of funds
Chris, I’m in China but need your quick action on this. We’re building our industry relationships here and Gōngjiàng Company requesting a transfer of funds on a time-sensitive acquisition. The lawyers will be in touch. Get this done today. Tom
Policy Manager, National Security and Emergency Preparedness
Who has seen an email like this come across his or her inbox? This is an example of a business email compromise (BEC). Like most things the government names, it sounds incredibly boring and bureaucratic. But according to the FBI, criminals across the globe stole nearly $1.2 billion from more than 7,000 victim companies since 2013 using scams like this.
These types of scams are known as CEO fraud or whaling attacks.
Victims of CEO fraud are both small and large businesses, and money has been sent to Hong Kong, China, the United Kingdom, Saudi Arabia, Malaysia, Taiwan, Nigeria, Korea, and the United Arab Emirates.
In two notable whaling incidents last year, online wire-transfer provider Xoom was the victim of a January attack to the tune of $31 million, and networking firm Ubiquity reported in August a $47 million loss. In most cases, the scammers request wire transfers that lend legitimacy to the fraud, generally in the $50,000 to $100,000 range.
Typically, criminals hijack the email account of a company executive and then send email instructions to a staff member directing him or her to wire large sums of money to foreign accounts.
What makes these crimes successful is their level of sophistication. Fraudsters combine research readily available on the Internet and insider information to target individual victims. Instead of crafting mass emails from a Nigerian crown prince awarding you and only you $10,000, these criminals’ methods are extremely sophisticated and target an organization’s relationships, activities, interests, travel, and purchasing plans.
Take the example here. The author of this email tailors the message to Chris, not Christopher, and signs the email Tom, not Thomas, demonstrating that he knows the nicknames of his victims. Also, the scammers in this case know that the example company has overseas interests and perhaps are following the CEO’s travel via twitter and Facebook. So they have timed their scam to coincide with the executive’s foreign travel.
Finally, there’s the look-alike domain name (that is everything after the @ symbol in an email address). As with most email attacks, thieves will change one letter or number in a target company’s domain name and send messages from that look-alike address.
What to do if you are the victim:
If you are the victim of a BEC scam and act within 24–48 hours, there is a good chance you’ll get your money back.
Step one: Contact your financial institution and the financial institution receiving the transfer.
Step two: Contact your local FBI or U.S. Secret Service field office.
Step three: If your financial loss is under $100,000, then file a report through the FBI’s Internet Crime Complaint Center (IC3).
How to raise your defenses:
1. Create an intrusion detection system (IDS) to flag emails with extensions that are similar to your domain @examp1e.com (substituting the number 1 for the letter “L”).
2. Train employees to scrutinize all email requests for transfer of funds.
3. Trust but verify. Use a two-factor authentication to confirm transfer of funds. Verify the customer and bank information using previously known phone numbers and contacts.