Stop
Play

The Business Email Compromise: Spoofing the CEO

Back to Home
The Business Email Compromise is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The fraudulent wire transfer payments sent to foreign banks may be transferred several times but are quickly dispersed. Asian banks, located in China and Hong Kong, are the most commonly reported destination for these fraudulent transfers, however, bank accounts located across the globe are being actively exchanged on criminal forums.
 
The prevalence of Business Email Compromise’s is increasing globally, and most scams are conceived and carried out by experienced groups of criminals located outside of the United States. The Business Email Compromise is executed in technical or non-technical fashion, and may be as simple as spoofing an organization’s email address, to pose as a senior executive sending a request for funds to be transferred to an external entity. The scam generally corresponds with key personnel being absent from the office, and the scam targets lower or mid-level management of an organization.
 
Criminals are successful in not only scamming organizations to transfer funds to their overseas bank accounts, but also in withdrawing the funds successfully. Funds are generally withdrawn by the criminals before victim organizations are witting that they have fallen victim to fraud. Additionally, in many instances, funds are dispersed among various overseas accounts to mask the identity of the perpetrators, and to make it increasingly difficult for the funds to be recouped.
 
Global bank accounts are exchanged on dark web criminal forums, likely set up solely to funnel money via fraudulent wires. Recipients of these accounts are not aware of where the funds are coming from, or who supplied the account.
 
The example below is an exchange on a dark web criminal forum:
 
In previous cases, review of email headers for emails used to perpetrate a spoof, are routed through overseas mail servers, making original Internet Protocols (IP) difficult to trace. Time stamps located in the header information of the emails lend to the possibility that emails primarily originate from Western Europe, Eastern Europe, Western Russia or the Middle East. However, the lack of information to corroborate this theory does not support an attack originating in those regions.
 
Defensive Measures
 
Implement or update the sender policy framework (SPF). The SPF allows domain owners to publish a list of IP addresses that are authorized to send email on their behalf. An adequately updated SPF will make it difficult for malicious senders to disguise their identity, reducing the amount of spam and fraud. Use of DomainKeys or DKIM also are protective measures that work to make email forging more difficult.
 
Cyber security awareness training should be delivered bi-annually at a minimum to all employees, contractors, and partners. All industries share one principle digital security threat, which is the malicious or ignorant insider. Professional hackers do not target the system, they target the person.
 
Turn off "out-of-office” auto-reply emails to external domains. Scammers looking to exploit organizations with a business email compromise will often send emails targeting specific personnel and organizational business units specifically seeking out-of-office replies. The malicious actors will then spoof the email of the individual who is away, further establishing legitimacy in the scam.
 
Conduct social media foot printing of your organization and employees, and conduct penetration testing of networks and facilities to determine vulnerabilities. Then heed recommended remediation.
 
Use digital signatures in email communication. Similar in concept to hand-written signatures, digital signatures offer additional security through encryption. A digital signature is an encrypted hash that assures the recipient of the authenticity, integrity and non-repudiation of the message.
 
Do not conduct official business with personal email addresses. Webmail services such as Gmail, Hotmail, and Yahoo mail are easily exploited and spoofed. A malicious actor could easily infiltrate personal email to obtain corporate proprietary data, as well as key personal information to assist in perpetrating fraud. Additionally, if personal devices are authorized for business use, ensure that comprehensive mobile device management (MDM) procedures are in place.
 
The listed defensive measures will provide added protection against the Business Email Compromise, but criminals continue to craft more sophisticated scams in an effort to bypass organizational controls. Ensure that your organization has a battle-tested incident response plan and business continuity guidelines in place prior to becoming a victim to a Business Email Compromise.