270 billion emails are sent worldwide every day. This provides cyber criminals with plenty of opportunities to misuse this means of communication for email spoofing or CEO-fraud. Malicious senders try to receive large sums of money or confidential information by sending out fake emails to your employees or customers. They pretend to be a trusted business, colleague, or even the CEO to get a better chance of succeeding, causing serious damage to many SMEs and corporates.
Email spoofing and CEO-fraud are both forms of cybercrime, where malicious parties send emails to or from an organisation, as if they are a person working there. This type of digital fraud resembles phishing, but in these cases attackers go to extreme lengths to collect organisational or personal information on the ‘sender‘. This adds to the credibility of the fake message and makes this type of cybercrime an even harder one to fight. CEO-fraud is well-prepared by the attackers: they go through open sources and social media platforms to gather information about their victims. After building the resembling profile of their target, they start the digital attack.
The most successful CEO-fraud cases stem from proper research by the attackers using Open Source Intelligence (OSINT) sources like social media networks (LinkedIn, Facebook, Twitter) and presentation sites such as Prezi, Slideshare and Google Docs.
Attackers gather information on their target based on OSINT (passive intelligence) and active intelligence. They do this by infiltrating the organisation, usually through leaked credentials. In certain cases, the attackers infiltrate through Webmail systems and set up email forward rules to external addresses hosted at anonymous email providers. This way, attackers can eavesdrop on conversations between the target and their contacts to understand what a normal email thread looks like.
As a next step, the attackers will set up a similarly looking website (phishing site). This website URL is usually one character different from the official name, e.g:
These websites usually show an official logo and certificate to make them look more convincing. Alternatively, attackers might resort to using fake LinkedIn profiles in order to gain confidence with your employees.
After the attack has been prepared, the email is sent to the contacts of the target. These emails usually contain payment instructions or ‘change of bank account’ notifications. They look very similar to original emails, as attackers are experienced in blending in with the normal flow of your organisation. Even well-trained personnel might not recognise this as an attack.
Emails sent by cyber criminals might contain links or attachments that lead recipients to a phishing web page or install malware on their device. Messages can also contain requests for payments or confidential details. As the email seems to come from a trusted and authoritative source, employees or third parties often provide what is requested. This way, payments are easily diverted to fraudulent bank accounts and sensitive information, like password details, is easily shared.
There are some steps you can take to protect against CEO-fraud. These are:
We have successfully assisted many of our clients protect themselves against these kinds of digital risks. Contact us today to guard your organisation against CEO-fraud.
Most of the information used by attackers is found online. That’s why it is important to know what company details are publicly accessible. Protect your organisation by tracking attackers that use your brand name, the name of your C-level employees or other senior executives.
Knowing your online footprint will significantly decrease the risks of CEO-fraud.
Take control today!