Scammers Trick Executives With 'CEO' Emails

By Hum
in Back Page News

 Share

Recommended Posts

Grand Master

Hum

Posted
Posted

Spam emails that try to solicit personal information, known as phishing, are taking advantage of corporate servile culture with messages feigned to resemble that of a company CEO, addressed to the firm's executives.

"Someone will spoof an email to the CFO or controller and it will purport to be from the CEO," Christopher Novak, managing principal and security expert at Verizon Business told American Banker. "The email will say something like, we need to sponsor this event or pay this vendor, it's urgent and I need you to wire $100,000 into this account immediately, we're already 30 days late. Because it's from the CEO, other staff will expedite the request."

Andrew Valentine, a security expert and principal with Verizon Enterprise Solutions, said he has seen large number of cases in which a CEO gets an email that looks to be from the CFO, or a similar variation.

"Ninety-five percent of the cases originating from China start with just this kind of attack," Valentine said. "It's one of the reasons I hate the phrase 'Advanced Persistent Threat,' or APT. There's nothing advanced about a phishing e-mail."

 In one instance at an engineering firm, Valentine said, an executive was the target of a phishing attack with an email addressed from the company CFO.

"The CFO's name was spelled incorrectly, it was a Yahoo email address rather than an internal one, and you had to double-click on a zip file attachment," Valentine said. "There were so many red flags that he shouldn't open it, but people will click on phishing messages."

But Valentine said phishing email victims are not necessarily "gullible. I think very smart and capable people fall for phishing attacks," he said.

But when people receive a couple hundred emails in an eight-hour period or less, their level of scrutiny may decrease.

"In one case, the CFO happened to have lunch with the CEO and said, just out of curiosity, who was that merchant you had us expedite the wire transfer to?" Novak said, describing one example. "The CEO said, 'What are you talking about?' The blood drained out of the CFO's face and he said he had to go. We've seen more than a dozen of those happen in the last week. Probably over $10 million has moved in the last week because of this."

 The recent spate of spear phishing attacks on financial services personnel demonstrates the increasing level of sophistication of identity thieves and the inevitability of individual and institutional compromise, said Adam Levin, co-founder and chairman of Identity Theft 911.

He says the "only intelligent way" to respond to such attacks is to design and implement more sophisticated security protocols.

"Companies should also step up training programs to help employees better spot potential fraud and to drill into them that under no circumstances should they provide any personal identifying information on any website or to any third party without corroboration from supervisors and/or trusted third parties," Levin said. "As identity thieves count on moments of confusion or distraction, such as time pressures, no wire transfer or [automated clearing house] of any significant amount should be initiated without protocols requiring more than one authorization and a time frame longer than 'right now.'"

source

Link to comment
Share on other sites
Grand Master

Buttus

Posted
Posted

I could see a high up officer in a company getting one of these emails, not wanting to be bothered and forwarding it to his underling, and just saying 'take care of this'...  the underling wanting to look good, does the rush transfer without verifying anything, and boom!  money gone.....

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing