Security Advisor Middle East|May 2020
There are few things better designed to make an employee panic and than an email from the boss marked “urgent”.
With adrenaline levels high, a staff member can easily act rashly by doing as the message asks and paying an invoice. However, sometimes such emails are from criminals attempting to steal money and are not, as they initially appear to be, from a top company executive.
Ryan Trost, co-founder and chief technology officer of the threat intelligence platform ThreatQuotient, encountered these scenarios earlier in his career when he managed a large security operations centre.
“An adversary was masquerading as a senior vice president and sent an email to several employees in our accounts payable department,” explains Trost.
“Although the fictitious email address was a Gmail account, the adversary was able to manipulate the email envelope field and include the VP’s real email address to better camouflage the attack.”
The email included a fake invoice and asked for a wire transfer to be expedited to avoid a steep late fee.
The spearfish was well crafted, being direct and authoritative with proper grammar, and the vice-president’s legitimate email signature. It went to all employees necessary to approve a wire transfer.
What gave the game away was that, at the bottom of the email, the vice president's nickname was not included as it should have been. As Trost puts it, “a minor but obvious nuance.”
“This personal level of detail is usually hard for adversaries to mimic and is commonly overlooked,” he adds.
“UNFORTUNATELY THERE DOESN’T SEEM TO BE ANY MEANINGFUL REDUCTION IN THE AMOUNT OF BEC, SINCE IT REPRESENTS A RELATIVELY EASY AND EFFICIENT WAY FOR CRIMINALS TO MAKE MONEY.” - John Shier, Sophos
This was an attempt at CEO fraud, and such emails are often successful because they deliberately push a series of buttons.
Firstly, these tend to be aimed at the finance department of companies, where there may be less awareness of the risk of cyber fraud than there is in the security or IT department.
The fraudsters will ask the customer to make payment for an invoice into their own bank account, not the account of a genuine supplier to the company.
You can read up to 3 premium stories before you subscribe to Magzter GOLD
Log in, if you are already a subscriber
Get unlimited access to thousands of curated premium stories and 5,000+ magazines
READ THE ENTIRE ISSUE