April 7, 2016

The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.

In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270 percent increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries.

A typical CEO fraud attack. Image: Phishme

A typical CEO fraud attack. Image: Phishme

CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.

Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes rarely set off spam traps because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.

They do this by scraping employee email addresses and other information from the target’s Web site to help make the missives more convincing. In the case where executives or employees have their inboxes compromised by the thieves, the crooks will scour the victim’s email correspondence for certain words that might reveal whether the company routinely deals with wire transfers — searching for messages with key words like “invoice,” “deposit” and “president.”

On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, CEO fraud is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the CEO scam the crooks trick the victim into doing that for them.

The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars. 

Last month, the Associated Press wrote that toy maker Mattel lost $3 million in 2015 thanks to a CEO fraud phishing scam. In 2015, tech firm Ubiquiti disclosed in a quarterly financial report that it suffered a whopping $46.7 million hit because of a CEO fraud scam. In February 2015, email con artists made off with $17.2 million from The Scoular Co., an employee-owned commodities trader. More recently, I wrote about a slightly more complex CEO fraud scheme that incorporated a phony phone call from a phisher posing as an accountant at KPMG.

The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

For an example of what some of these CEO fraud scams look like, check out this post from security education and awareness firm Phishme about scam artists trying to target the company’s leadership.

I’m always amazed when I hear security professionals I know and respect make comments suggesting that phishing and spam are solved problems. The right mix of blacklisting and email validation regimes like DKIM and SPF can block the vast majority of this junk, these experts argue.

But CEO fraud attacks succeed because they rely almost entirely on tricking employees into ignoring or sidestepping some very basic security precautions. Educating employees so that they are less likely to fall for these scams won’t block all social engineering attacks, but it should help. Remember, the attackers are constantly testing users’ security awareness. Organizations might as well be doing the same, using periodic tests to identify problematic users and to place additional security controls on those individuals.


40 thoughts on “FBI: $2.3 Billion Lost to CEO Email Scams

    1. James

      I do. If that’s my company making losses, or a potential customer that won’t be able to buy my company’s services, then I care very much indeed. And if the money is going into the pockets of organised crime, I care even more.

    2. trefunnyMan

      As much as I hate big corp… there are plenty of awesome CEOs.

      But as many have pointed out, i think you completely mis-read the article. Its Betty in accounting that sent out the wire or the CFO that will get canned because of this… not the CEO.

    3. Ollie Jones

      It’s the COMPANY that got scammed, not the CEO. And it screws them up, their customers, and employees. Ubiquiti, for example, put a lot of resources into the org running the Red Hook Wifi project in an isolated housing project in Brooklyn. But their spearphishing fraud loss forced them to pull back. That’s not good. http://redhookwifi.org/

      That being said, why are people in companies so enthralled with their CEOs that they don’t double check these instructions?

      Why don’t CEOs say something like “I will never give wire transfer instructions by email without a confirming personal phone call.” (CEOs shouldn’t be initiating routine wire transfers anyway; it means they aren’t doing their real jobs.)

      1. Bob

        Why don’t you think that employee and scammer could be the same person? It’s so simple “Oops, I’m sorry, I got scammed, it’s not my fault”

  1. Michael Cook

    Technically, it’s not the CEO’s getting scammed, although something they did probably compromised their credentials, so their email could be read and studied to learn their “style”. It’s typically the CFO getting scammed, or a finance person who can request a wire. The CEO is probably in the dark until the actual wire has been made. Guess all in all, there are a couple points of failure here.

  2. Mike

    One wonders what the operational model is in those companies where mailing that kind of just being the ceo makes payments happen

    1. BG

      This. What sort of culture and accountability is there where a CEO can ask “deposit X into Y” and there not being a million alarms bells going off.

      Surely basic corporate governance says you pay on a verified invoice for services/goods, it gets signed off by at least two staff – not a “oh, lets transfer millions overseas for the lulz”.

  3. Frank Word

    BTW, this scan is a well known secret among bankers. Its about time that others know. Most bankers don’t like to say it etc. Internal education on the scams are a must and two factor reduces risks but not 100%. This can all be social engineered or have a man in the middle. Layers of internal controls are a must but no guarantees of course. Thus the need for a solid incident response plan.

    1. Brad Rose

      As a banker, this isn’t a secret among bankers. It is a very real threat where we try, try, try to educate our customers. Most customers don’t want to be bothered.

  4. xhir0

    The answer to this is solid procedures and controls. Education helps, but if all it takes is one person to sign off on such a large transfer, then the failing is more than lax security training. Two signatures for large transfers, vocal // visual confirmations of transfer orders, and a culture where questioning requests like this is desired, not punished are the keys to preventing this type of attack.

    Procedures not like this are usually due to arrogant CEOs wanting absolute power, CYA cultures that do not encourage taking responsibility, and lack of investment in InfoSec.

    As for the CEOs, I don’t care if their golden parachutes get shredded, they’ll still live in a world I can’t imagine.

    1. R Mccoy

      I have seen arrogant PEOPLE that got caught in this scam, but not all were CEOs.

      This scam goes under a couple different variant names. However, I have seen this scam first hand a couple of times. I rarely see the CEO/President involved. Once the email system is compromised they look for the person who initiates the wires. This person is usually the Controller/Comptroller, CFO, Account Manager, and sometimes CEO. The email can come from someone below the rank of the victim or above. The scenarios I have seen have been from the person who usually sends the wire requests to the individual which normally is of a lower rank.

  5. Nikon1

    Just goes to prove that the weakest link in security is still the human at the keyboard.

  6. Robert Scroggin

    I think that CEOs as a group tend to think that rules/regulations/procedures are for the employees–not for them, resulting in a lack of respect/concern for rules/regulations/procedures. This attitude serves to make it easier for the bad guys.

    Regards,

    1. Chriz

      Totally true! I’ve seen it countless times, leaders bypassing all processes in place to get their request done ASAP.

      “Forget about the security approval, user access review, I want it now!” – Classic…

    2. meh

      Our CEO threatened to fire us for doing an email education training/quiz. They usually do deserve it, but they aren’t the ones that will suffer the losses even if they should be.

  7. Clay Yearsley

    We’ve been training Executives, Board members, and staff about this attack methodology for about a year. The term we’ve heard and use is “whaling”.

  8. twinmustangranchdressing

    Kindly forgive me for going off-topic here.

    Adobe just released (not on a Patch Tuesday) an update for Flash Player, 21.0.0.213, to patch a zero-day vulnerability. I use a MacBook running OS X 10.6.8 and a netbook running Windows XP SP3 (yeah, I know, I know). On both, Chrome got the update but Firefox did not, even though the update process appeared to proceed to completion without any issues.

    Coincidentally, Chrome itself was updated on the netbook (but not the MacBook) to 49.0.2623.112 (from .110) despite the notice displayed in Chrome that XP and Vista no longer receive updates.

    1. Derek

      No, I don’t forgive you. This is completely irrelevant to the subject, and you are only annoying Krebs’ readers by posting it.

    2. Ricki

      Forgiven, useless info to the article but it only took 1 sec to say “I already know that”

    3. twinmustangranchdressing

      Folks, Brian usually makes a post when there’s an update for Flash Player before Patch Tuesday. But I wouldn’t have posted my comment just to announce this update. I posted to warn others that the plugin for Firefox, et al, wasn’t actually being updated. Anyway, I checked again a short time ago and the updated NPAPI plugin is finally available.

    4. Tucker

      You should stick to the topic at-hand; otherwise, you look like an idiot.

  9. Jeff C

    I’m in IT security for my company and thankfully our employees are on top of this most of the time. There are almost daily emails targeted at employees in our finance department using spoofing techniques showing the email coming from our CEO or CFO and indicate the message was sent from the user’s mobile device (…sent from my iPhone). Always something on the lines of, “I’m in a meeting but will be monitoring my phone so please respond directly to my email when the requested wire transaction is completed.” The key there is to respond directly to the fraudulent email rather than opening up a new email using the company directory. Since we are a fairly small company, there are less than 5 employees that would have access to perform the task and all know just by reading that the email is fraudulent. I’m notified and I verify using the headers where the email originated from and block the address coming in and out along with a few other controls along the way. We are also making additional adjustments for further prevent spoofing, but have really taken all the needed steps with rules configuring, SPF and DKIM, etc. Recently we had a string of emails requesting W2s and employee files to be sent to an impersonating CFO and HR VP, obviously coinciding with tax filing season. Along with all the technical resources at hand to reduce fraudulent emails, one of the best defenses is to have alert employees that are not taken in by the scam. Email reminders are sent out company wide reminding our employees of best practices and we have the usual security awareness training. But as will these types of errors, it is the human factor that is the problem. Last year, a company in my city, Scoular Co, made national news because an executive at the company did fall for a wire scam and wired $17.2 million to a bank in China through a series of transactions. (Brian has mentioned this in several articles prior to today.) I would have assumed that the email and instructions were highly convincing to entice an executive that works closely with the CEO to successfully perform the transfer that wasn’t legitimate (and as I recall there was a series of coincidences with that case that were highly unusual.) Additionally I would assume there were many changes that took place after the fact. It is hard to put blame at just one person, but I’d be curious what technical controls and training was in place at Scoular prior to the incident. All business should adopt smart controls and procedures and make sure all employees understand those procedures and know their responsibilities. Let employees know it is OK and expected to take the extra step to ask advice on how to handle a situation or verify the validity by sending an internal IM or making a phone call, even if you do happen to interrupt an executive. They’ll thank you for your diligence.

  10. Steve

    As was said, DKIM and SPF is important but without DMARC, they are limited in what they can do.

    With DMARC enforcement turned on, emails spoofing the company’s actual domain (which is very common) will be blocked altogether.

  11. Huh?

    A big resource these guys used was VistaPrint.com’s portal to register domain names with fake credit cards since they didn’t validate the CC till some time later. (This has been fixed, but it took way too long). The bad guys could register a site with a domain very close to your company, point it to a VPS and start the scam. They have moved on to other similar services.

    Also, this money has to go somewhere…Where? Mules. It would be interesting if a certain investigative reporter looked into how these other other crooks lure in the unsuspecting mules and how the practice has evolved over the years.

  12. RSG

    Brian: Mattel nearly lost $3 million+, but intervened and all funds were recovered.

  13. Audrius

    This type of fraud has been prevalent in France for a number of years. There are many articles quoting French coppers that more than 300 millions of EUR have been lost by French companies over a span of 3 or 4 years. In the end of last year the French even released a movie titled Thank you for calling or Je compte sur vous in in French. It is based on a true story of a certain gentleman named Gilbert Chikli who is currently hiding in Israel. According to many articles in the French newspapers, he’s the godfather of the fake CEO fraud. I think it’s just a matter of time until this chap writes a book.

  14. William Deller

    Brian,

    Wanted to see if you’re interested in a speaking engagement at the Pittsburgh Information Security Awareness Day event sponsored by ISACA’s Pittsburgh Chapter. We would love to have you as our keynote speaker, and would provide compensation. Please let me know if you would like more details.

    Thanks!
    -Bill

  15. alfredo

    dirty money has no valution! u can have 1 biilion but its just worthless,and good luck to find country like russia, who let u to lounder this money?? remeber countries like russia have inflation,couse alot dirty money! MONEY HIMSELF IS worthless,

  16. Dale

    To some extent, I can understand that small companies may be fooled into this scam. Larger companies should have financial and audit processes that would make this kind of email request completely impossible. Most companies should require a Purchase Order or an associated Business Contract to issue a payment on. In these cases neither would exist. This would likely be in violation of most standard accounting or audit practices. If the CEO lacks the knowledge of these governance laws/processes then the CFO or company legal counsel should. If this occurs in a company then they likely have many other risks that they are exposed to. In any event, the leaders of the finance and legal groups should bear the greatest responsibility for these losses.

  17. James E

    I had worked in a company that had fraudster posing as a vendor tried to have the company wire money to another account.

    One of the rules they require is that a vendor send a letter with the company letterhead along with valid signature in order to update or change the account information. When the first one did not work, they tried another way and that prompted an investigation. It found that someone from South Korea was initiating it posing as one of their vendor in China. With the vigilant, the company did not lose any money due to an alert Senior AP employee.

  18. DH

    Here is a discussion over some technical controls to stop CEO/CFO spear phishing (not phishing in general). The first control is simply using SPF, but the 2nd is a blacklist approach with the assistance of URLCrazy. The 2nd ends up being a neat little trick that works quite well and it costs nothing. The article provides a nearly step-by-step implementation on both.

    http://linuxincluded.com/stop-ceo-cfo-domain-spear-phishing/

Comments are closed.