Archive

Go to:

October 2017
SMTWTFS
1234567
891011121314
15161718192021
22232425262728
293031
< Sep Nov >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Krebs: FBI Says $2.3 Billion Lost to CEO Email Scams
Monday, April 11, 2016 6:30 AM

041116_pic_krebs_on_security_ceo_phishing_scam.jpg
A typical CEO fraud attack. Image: Phishme

The U.S. Federal Bureau of Investigation this week warned about a “dramatic” increase in so-called “CEO fraud,” email scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.

In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270 percent increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every US state and in at least 79 countries.

CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.

Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes rarely set off spam traps because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel, and/or purchasing plans.

They do this by scraping employee email addresses and other information from the target’s Web site to help make the missives more convincing. In the case where executives or employees have their inboxes compromised by the thieves, the crooks will scour the victim’s email correspondence for certain words that might reveal whether the company routinely deals with wire transfers — searching for messages with key words like “invoice,” “deposit,” and “president.”

The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars. 

But CEO fraud attacks succeed because they rely almost entirely on tricking employees into ignoring or sidestepping some very basic security precautions. Educating employees so that they are less likely to fall for these scams won’t block all social engineering attacks, but it should help. Remember, the attackers are constantly testing users’ security awareness. Organizations might as well be doing the same, using periodic tests to identify problematic users and to place additional security controls on those individuals.

For more on this story, please visit Krebs on Security.