Jump to content


Scammers Trick Executives With 'CEO' Emails

spam spoofing china attack phishing security protocols

  • Please log in to reply
7 replies to this topic

#1 Hum


    totally wAcKed

  • 63,716 posts
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 14 November 2013 - 01:50

Spam emails that try to solicit personal information, known as phishing, are taking advantage of corporate servile culture with messages feigned to resemble that of a company CEO, addressed to the firm's executives.

"Someone will spoof an email to the CFO or controller and it will purport to be from the CEO," Christopher Novak, managing principal and security expert at Verizon Business told American Banker. "The email will say something like, we need to sponsor this event or pay this vendor, it's urgent and I need you to wire $100,000 into this account immediately, we're already 30 days late. Because it's from the CEO, other staff will expedite the request."

Andrew Valentine, a security expert and principal with Verizon Enterprise Solutions, said he has seen large number of cases in which a CEO gets an email that looks to be from the CFO, or a similar variation.

"Ninety-five percent of the cases originating from China start with just this kind of attack," Valentine said. "It's one of the reasons I hate the phrase 'Advanced Persistent Threat,' or APT. There's nothing advanced about a phishing e-mail."

 In one instance at an engineering firm, Valentine said, an executive was the target of a phishing attack with an email addressed from the company CFO.

"The CFO's name was spelled incorrectly, it was a Yahoo email address rather than an internal one, and you had to double-click on a zip file attachment," Valentine said. "There were so many red flags that he shouldn't open it, but people will click on phishing messages."

But Valentine said phishing email victims are not necessarily "gullible. I think very smart and capable people fall for phishing attacks," he said.

But when people receive a couple hundred emails in an eight-hour period or less, their level of scrutiny may decrease.

"In one case, the CFO happened to have lunch with the CEO and said, just out of curiosity, who was that merchant you had us expedite the wire transfer to?" Novak said, describing one example. "The CEO said, 'What are you talking about?' The blood drained out of the CFO's face and he said he had to go. We've seen more than a dozen of those happen in the last week. Probably over $10 million has moved in the last week because of this."

 The recent spate of spear phishing attacks on financial services personnel demonstrates the increasing level of sophistication of identity thieves and the inevitability of individual and institutional compromise, said Adam Levin, co-founder and chairman of Identity Theft 911.

He says the "only intelligent way" to respond to such attacks is to design and implement more sophisticated security protocols.

"Companies should also step up training programs to help employees better spot potential fraud and to drill into them that under no circumstances should they provide any personal identifying information on any website or to any third party without corroboration from supervisors and/or trusted third parties," Levin said. "As identity thieves count on moments of confusion or distraction, such as time pressures, no wire transfer or [automated clearing house] of any significant amount should be initiated without protocols requiring more than one authorization and a time frame longer than 'right now.'"


#2 Shiranui



  • 4,351 posts
  • Joined: 24-December 03

Posted 14 November 2013 - 02:11

What kind of vegetable would transfer $100,000 based on an email alone?

#3 webeagle12


    Neowinian Senior

  • 7,366 posts
  • Joined: 26-May 04

Posted 14 November 2013 - 02:23

What kind of vegetable would transfer $100,000 based on an email alone?


#4 Sandor


    Neowinian Senior

  • 3,995 posts
  • Joined: 28-November 03
  • OS: Win 8.1

Posted 14 November 2013 - 02:25

What kind of vegetable would transfer $100,000 based on an email alone?

A Tomato.

#5 primexx


    Neowinian Senior

  • 12,887 posts
  • Joined: 24-April 05

Posted 14 November 2013 - 03:05

Most companies aren't even using SPF & DKIM to authenticate their own emails. You can probably spoof the "From" header with impunity.

#6 Buttus


    Neowinian Senior

  • 3,436 posts
  • Joined: 07-September 05

Posted 14 November 2013 - 03:25

I could see a high up officer in a company getting one of these emails, not wanting to be bothered and forwarding it to his underling, and just saying 'take care of this'...  the underling wanting to look good, does the rush transfer without verifying anything, and boom!  money gone.....

#7 OP Hum


    totally wAcKed

  • 63,716 posts
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 15 November 2013 - 06:03

E-mails should at least include an authentication secret code if there is any money involved.

#8 TCA


    Neowinian Senior

  • 3,033 posts
  • Joined: 18-February 04
  • Location: Vanillia Unicorn
  • OS: (NB) Windows 8 x64 (PC) Windows 7 Ultimate x64
  • Phone: Galaxy Alpha; Nexus 5

Posted 15 November 2013 - 06:08

What kind of vegetable would transfer $100,000 based on an email alone?

more like moron instead of a veggie.