CEO fraud victims had weak cybersecurity A recent U.S. Securities and Exchange Commission report of nine companies that had been victims of CEO fraud...had sufficient internal controls in place as required by law. The report focused on what the FBI calls “business email compromise” and what in InfoSec circles is known as CEO Fraud: cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The FBI estimates such scams have led to a whopping 12 billion dollars in losses since 2013. In some cases, attacks on these companies lasted months and were only discovered when law enforcement intervened. Each had securities listed on a national stock exchange and lost at least 1 million, though two lost more than 30 million and one ... Read More

Big $$ in social engineering According to an alert published last year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows: Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds. These emails can be quite convincing as the attacker makes a significant effort to identify an appropriate victim and register a fake domain, so that at first glance the email appears to belong to a ... Read More

Business manager had a hacked email account The bank isn’t always responsible for making you whole after a business email compromise. Indiana’s Lake Ridge Schools lost more than $120,000 from a seven-million-dollar construction fund established to build an athletic complex. The funds were stolen via a wire transfer ordered through a hacked email account. That account belonged to a business manager who was authorized to request payments. The money was requested in the form of wire transfers to several people thought to be contractors on the project. At the time the wire transfers were requested, the business manager was on vacation and the bank, BNY Mellon had received an out-of-office notification days before. Email had a different font Lake Ridge Schools sued BNY Mellon, alleging that the bank’s failure ... Read More

Government shut down does not stop the thieves Once again we are starting tax season, and Internet thieves are spinning up phishing campaigns to exploit the myriad opportunities afforded by this annual ritual to trick unsuspecting users into coughing up their money, identities, and the credentials to online accounts. Curiously, these campaigns are proceeding even though the U.S. government is partially shut down, causing widespread confusion over whether the IRS will be sufficiently operational to process tax returns and issue refunds. The bad guys, of course, appear to be facing no operational difficulties and are more than happy to step in to take your refunds, your bank accounts, and your identity. Although we have not as yet seen the now infamous W-2 phishing campaigns that have plagued previous tax seasons, they are almost ... Read More

California wildfires used for social engineering Internet thieves are using the California wildfires as a social engineering tactic to trick you into buying gift cards supposedly intended for victims of the disaster, according to James Linton at Agari. The scammers send emails to employees of organizations posing as their CEO. These CEO Fraud emails target employees who work in accounting, finance, or administration, and tell their recipients to purchase gift cards worth hundreds of dollars to be sent to clients affected by the fires. The employees are instructed to send photos of the codes on the purchased cards, after which the criminals can use online services to convert them into regular currency. Scammers exploit tragedies One of the demoralizing byproducts of large-scale tragedies is the tendency for scammers to exploit people’s charitable ... Read More

Good guys: 1. CEO fraud: 0 The case of how the FBI turned the tables on cybercriminals using the very same tactics demonstrates how powerful the art of social engineering and deception can get a victim to act. This story starts with cranes and ergonomic lifting manufacturer Gorbel who were scammed out of $82,000 using a simple fileless CEO scam. The accounts payable team was sent an official-looking email from an account purporting to be the CEO. The scam worked, Gorbel was out the $82K, and the FBI was brought in. But, it wasn’t enough to take Gorbel for tens of thousands of dollars; no, the cybercriminals wanted to take a drink from the same well a second time, again purporting to be the CEO. Turning the tables With the FBI engaged, ... Read More

Attractive target The real estate industry is a particularly attractive target for CEO Fraud, according to FBI spokesman David Fitz. Fitz told The Baltimore Sun that the industry’s day-to-day activities present a host of opportunities for scammers, including large, online transactions and a great deal of remote communication. Between January 2017 and November 2018, sixty victims in Maryland lost over $2 million combined as a result of hijacked real estate transactions. Fitz notes that those numbers could be much higher, since many individuals and companies may refrain from reporting that they were scammed. Hacked email account A CEO Fraud real estate scam usually starts with an attacker hacking the email account of an agent or company employee, often via a phishing email. The attacker then observes the correspondence within ... Read More

CEO fraud villian posed as a contractor Months after a classic CEO fraud scam took Galveston County, Texas for $525,000, County Judge Mark Henry is now asking for the County Auditor and Purchasing Agent to resign. It’s one of the easiest scams to pull off – do a little homework and identify a contractor working for a business or government with lots of money, impersonate someone from the contractor’s accounting department, and send an email to the victim organization asking for a bill to be paid. In the case of Galveston County, this is pretty much as sophisticated as it got. The scammer pretended to be working for Lucas Construction, a Houston company doing road work for the county. Look for the red flags And just as the CEO Fraud is relatively ... Read More

Spot red flags to avoid becoming a CEO fraud victim Two top-level executives of European movie chain, both the Managing Director and the CFO, were fired recently, after it became clear that they fell for a massive CEO Fraud attack. This could have been prevented if they only would have spotted the red flags. In a recent Amsterdam, Holland court decision the details were revealed how this scam went down, and what errors were made along the way. Thursday, March 8th, the MD of a Dutch movie chain gets an email from the CEO of their holding company: "Did KPMG already call you?" The email was sent from a smartphone. The MD forwards the email to their CFO, but both are puzzled. They decide to email back and ask what ... Read More