What do you do when you get an email from your CEO?
Like most of us, you probably respond very quickly and do your utmost to fulfil whatever their request is efficiently. But what if that request is to transfer $10,000 to a supplier or get to the local Apple store and buy $1,000 worth of iTunes vouchers on the company credit card and send over the codes within the hour?
Most people wanting to stay on the good side of the CEO will probably just do as asked without too many questions. However, there’s a growing technique used by hackers known as CEO fraud, whaling, or business email compromise (BEC).
Falling under the category of social engineering, CEO fraud takes advantage of the very human desire to please the boss through CEO impersonation. The target is often the finance team, and usually appears completely legitimate and reasonable. The email address used to send the request is usually only a character out (think CEO@censormet.com) and all too easy to mistake for genuine.
According to the FBI, CEO fraud and similar attacks were up 1,100 percent from 2013 to 2017 and losses in that timeframe totalled $2.9 billion. Clearly, it’s a good way to make a buck or two – and anyone can be a victim.
In 2013, the toymaker Mattel lost over $3 million to this very scam. An email, apparently written by the CEO Christopher Sinclair, requested a vendor in China should be paid, to which the finance executive willingly obliged. The fraudsters knew what they were doing – not only was Sinclair a new CEO stepping in after a period of change, but the request was also made on a Friday before a public holiday on the Monday. While Mattel was able to retrieve the funds, not everyone will be so lucky.
Criminals are having to adapt as employees get wiser to CEO fraud and impersonation scams. Some of the ways they’ve changed include shifting malicious links from the body of the email into attachments or files in cloud storage that are auto-previewed, this makes it harder for email filters to block them and users more likely to click. Training of employees, while still important, can’t solve the problem.
Awareness needs to be combined with an ultra-modern, multi-layered email security solution. Traditional pattern matching or recurrent pattern matching technologies are useless and, instead, a solution needs to combine content analysis, threat intelligence, and executive name checking.
Content analysis looks out for CEO fraud email containing phrases like ‘urgent wire transfer’ or similar and, while a good first step, comes with a risk of false positives meaning any genuine urgent wire transfer requests may well be quarantined. Tagging external emails, using executive tracking to look for senior leadership names in header and envelope fields, as well as keeping a list of nearby domains and checking emails against that can help reduce the risk of false positives.
While link scanning is also still a good practice, given scammers are now taking links out of the body of emails, you ultimately need a solution that allows for integration and threat sharing across multiple vectors – such as email and web. That means that, should a dodgy link be clicked on, web security can block it from opening and add it to the list of domains to be permanently blacklisted.
Criminals are getting savvier and their techniques far more sophisticated. Any email security solution needs to match them.