Spoofing the CEO
Print Issue: October 2016
It’s a normal Monday and you’re at your desk in the accounting department, checking your email as you drink your morning coffee, when you see a message from your chief financial officer (CFO) in your inbox.
Without a thought, you open it and read that she needs a wire transfer to pay an invoice immediately. So, naturally when your CFO asks you to do something, you do it and initiate the transfer.
But instead of paying the invoice, the funds go to the account of a cybercriminal who has compromised your corporate email system in a business email compromise (BEC) scam. While the cybercriminal makes off with the money, you’re left wondering whether you can trust emails from your C-suite.
And you’re not the only one. BEC scams have affected more than 2,126 victims globally and cost nearly $21.5 million, according to an FBI public service announcement (PSA) issued in January 2015.
“The BEC is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments,” the announcement explained. “Formerly known as the Man-in-the-Email Scam, the BEC was renamed to focus on the ‘business angle’ of this scam and to avoid confusion with another unrelated scam.”
The wire transfer payments in these scams are typically sent to foreign banks, the PSA added, and can be transferred several times before being quickly dispersed. “Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers.”
This type of scam is becoming a major problem because email users sent and received more than 205 billion emails in 2015. Business email users send and receive approximately 122 per person per day, according to technology market research firm The Radicati Group, Inc.
“In most every organization, email is as central to work as the Internet is,” says Gary Miller, director of information security for business process outsourcing firm TaskUs. “It’s the core collaboration and documentation tool, so you have to be able to give your employees assurance that it’s a secure system.”
BEC first came onto the scene in 2013. It typically involves fraudsters who impersonate high-level executives, sending phishing emails from what appears to be a legitimate address, and requesting wire transfers to alternate, fraudulent accounts.
“BEC scams often begin with an attacker compromising a business executive’s email account or any publicly listed email,” according to a news alert by cybersecurity firm Trend Micro. “This is usually done using keylogger malware or phishing methods, where attackers create a domain that’s similar to the company they’re targeting or a spoofed email that tricks the target into providing account details.”
Fraudsters will then monitor the compromised email account to determine who initiates and requests wire transfers at a company.
“The perpetrators often perform a fair amount of research, looking for a company that has had a change in leadership in the C-suite of the finance function, or companies where executives are traveling, or by leading an investor conference call and using this as an opportunity to execute the scheme,” Trend Micro explains.
Fraudsters then usually pursue one of three options in a BEC scam. The first is known as “The Bogus Invoice Scheme,” “The Supplier Swindle,” or the “Invoice Modification Scheme.” This version of BEC usually involves a business that has an established relationship with a supplier, Trend Micro says. The fraudster asks for funds to be wired to him for invoice payment to a fraudulent account via spoofed email.
The second version is similar and is known as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” or “Financial Industry Wire Frauds.” A fraudster identifies himself as a high-level executive, lawyer, or a legal representative and then initiates a wire transfer to an account he controls.
“In some cases, the fraudulent request for wire transfer is sent directly to the financial institution with instructions to urgently send funds to a bank,” Trend Micro adds.
In the third version, fraudsters hack an employee’s email account and use it to request invoice payments to fraudster-controlled bank accounts. “Messages are sent to multiple vendors identified from the employee’s contact list,” Trend Micro explains. “The business may not become aware of the scheme until their vendors follow up to check for the status of the invoice payment.”
While 2,126 victims were hit with the scam between 2013 and 2015, the FBI says it’s still largely unknown how victims are selected. However, the Internet Crime Complaint Center (IC3), a partnership between the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance, has noted some common characteristics of BEC complaints.
For instance, businesses and personnel using open source email are most targeted, and individuals responsible for handling wire transfers within a specific business are targeted. BEC scam emails also tend to mimic a legitimate email request, are well-worded, are specific to the business being victimized, and do not raise suspicions as to the legitimacy of the request.
“The amount of the fraudulent wire transfer request is business specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt,” the IC3 said.
The IC3 has a number of recommendations on how companies can protect themselves from BEC, including exercising caution when posting certain information to social media and company websites, such as job duties and descriptions, organizational charts, and out-of-office details.
It also suggests being suspicious of requests for secrecy or pressure to take action quickly, like those seen in BEC scams, and to consider additional IT and financial security procedures, such as two-step verification processes.
In addition to following these recommendations, companies can purchase products that will help make their email more secure. This is the approach that TaskUs took after Miller joined the company in October 2015 and realized that the company was receiving roughly 25 targeted phishing emails per week, like those seen with BEC.
“At TaskUs, we were seeing a lot of phishing emails, many of them with our email addresses, so it looked like it was coming from one of our internal vendors,” Miller tells Security Management. “We were getting sent phish requests to pay invoices that appeared to come from our CEO.”
This was a major concern because TaskUs is a business process outsourcing provider that works with larger tech companies, relying on email communications from their C-suites and customer support leadership.
So the company began looking for a technology that would allow it to implement better identity within email, without losing emails that were critical to its business function. What it found was ValiMail, which provides email authentication services using Domain-based Message Authentication, Reporting and Conformance (DMARC).
DMARC is a technical specification adopted by major email providers, like Gmail, Microsoft, and Yahoo!, that “effectively stops unauthorized email uses of a domain, thwarting the majority of email domain attacks,” according to a white paper by ValiMail.
To provide email authentication as a service, ValiMail works with clients to set up DMARC for their systems and keep it up to date for clients and clients’ partners and vendors who may send email on their behalf. This ability to include vendors was critical for TaskUs, because it has partners that send email on its behalf to its own clients.
After learning about ValiMail in December 2015, TaskUs purchased its email-as-a-service product and began working with ValiMail to implement it.
TaskUs used a two-month period for full implementation of ValiMail because it wanted to initially begin using the service and monitor its impact on emails to see if it was blocking phishing emails or if it was preventing legitimate emails from getting through.
Once it was clear that ValiMail was working, Miller says TaskUs then moved to have detected phishing and unauthorized emails sent to the quarantine (spam) portion of email users’ inboxes.
“We had a few curious employees go into their spam boxes and say, ‘Hey, I got a message. It looks legit.’ And I’d have to say, ‘No, that was put into quarantine,’” Miller explains. “So we knew that we had to go into block mode.”
Now, with ValiMail operating in block mode, no unauthorized phishing emails have made it through the system as spoofs of legitimate TaskUs emails.
“They still come through, they’re just not spoofs anymore so they don’t look like they’re coming from a legitimate party,” Miller says. “Now it’s easier for our users to detect phish. So on top of training, on top of awareness exercises, we’ve also taken away some of the more complex attacks from the attackers and are protecting our users in that way now.”
By ensuring that only authentic emails from TaskUs and its vendors are coming through, ValiMail is also helping TaskUs protect its brand image, Miller explains. “To misrepresent the email coming from your C-level is something that should never be considered acceptable risk within any company.”