Want an easy way to save yourself £35k? Delete emails from your CEO

Posted by Gemma Sirett on March 29, 2019

You’re a financial controller. You get an email from your CEO (who’s abroad on business) addressing you by your first name, apologising for the email late on a Friday, but requesting you urgently make a payment to a trusted regular supplier, with account details helpfully provided in the email to save time. You’d pay it, right?

CEO fraud is an increasingly common type of phishing attack, where a threat actor impersonates a senior executive, and attempts to coerce an employee into transferring funds or personal information to the attacker’s account. The average cost of a CEO fraud attack has risen to £35,000, with one company being fleeced out of £18.5 million because of one unsuspecting financial controller[1].

But how do they keep getting away with it?

It’s all in the research

Attackers’ research is nothing short of meticulous. They scope out your CEO online, hunting through your company’s website, social media, and professional networking sites to learn all they can about that person – what they do, who they know and work with, their style of writing, and even when they’re travelling for work or on holiday. Threat actors will also thoroughly research your company, the way the company does business, and your key suppliers and customers. The more they know, the more believable their attack will seem.

“The adoption of fluent business terminology, industry knowledge and personal references from social and professional networking sites have made the deception associated with business email compromise (BEC) attacks difficult to uncover until it is too late.”[2]

Urgent emails get straight through to your inbox…

CEO fraud doesn’t rely on malicious payloads or sinister links, meaning the offending email goes unnoticed by anti-virus software and spam guards. It just looks like another email from someone within your company, without any malware attached.

… and appear to be from the real person’s email account

Threat actors create a spoof of your CEO’s email account which, at a glance, looks genuine enough – for example, changing john.smith@company.com to john.smith@compnay.com. Even more convincingly, attackers use advanced techniques such as Punycode[3] to create spoof domains where the characters in the email address look identical to the naked eye. The result? The email you receive from this domain looks like the real thing, from the real person.

Punycode-email
Looks like a legitimate email, right?

You’re the right person for the job

There’s little point requesting someone to make a wire transfer who isn’t authorised to do so. As part of their research, attackers will find out who’s authorised to make transfers or change account details, and they’ll target that person. In 2017, Dublin Zoo fell victim to such an attack, where cyber criminals intercepted genuine invoices, changing payment and account details, so the attackers got nearly USD $600,000[4].

But it’s not always the finance department that gets targeted – threat actors can also request personally identifiable information (PII) from your HR team, such as tax information, which can be used for further attacks. For a quicker payday, an attacker can email the HR department requesting to change the account their salary gets paid into (diverting money to the attacker’s account). Again, it’s in line with what the target does, and isn’t too unusual a request for an employee to make.

What can be done about it?

Gartner claims “there is no technological second security layer for impersonation attacks” and “current email security does not provide users with any indicators of the trust they can put in emails”[5]. While this may be true for the majority of email security providers, CORVID Email Protection provides both.

Our comprehensive solution provides over 12 fraud detection and content checks, including a VIP module, which, checks for impersonation attacks and CEO fraud – a company’s VIPs are registered in the system, so it can tell users if emails from your CEO or claiming to be from known VIPs actually are. It also checks for those pesky Punycode spoof domains, which are otherwise undetectable. A simple traffic light banner at the top of each inbound email allows users to clearly see whether or not an email is genuine. If an email is not from the VIP it claims to be from, the banner will display a warning message, so the user instantly knows not to trust it.

Punycode-email-banner
With the CORVID Email Protection banner, you can easily see the sender isn't the VIP they claim to be.
Footnotes
  1. Action Fraud, ‘Action Fraud warning after serious rise in CEO fraud’
  2. NCSC, ‘The cyber threat to UK business’
  3. Wikipedia, ‘Punycode’
  4. NCSC, ‘The cyber threat to UK business’
  5. Gartner, ‘Fighting Phishing – 2020 Foresight’
  6. Gartner, ‘Fighting Phishing – 2020 Foresight’