Gone Phishing with CEO
Business Email Compromise (B.E.C) Scam or what has come to be referred to as CEO Scam is proving to be most successful spear phishing attack in recent times. The prevalence and financial loss associated with the scam can’t be ignored. It’s intriguing how a smartly drafted email can lead to $.2.3 billion loss in just 3 years (FBI. No malware needed, no technical skills just an art of persuasion, intimidation and an understanding of corporate culture.
BEC is taking advantage of corporate culture and politics. BEC Scam is usually an email purporting to be from the CEO requesting transfer of funds/payments or requesting for some confidential information which is addressed to staff especially in finance, procurement and other staff who are involved in payments.
To understand the success of the scam we have to analyze the CEO role. Authority, power (some which you can smell, pass by a CEO office of conglomere and you will smell it!!) and politics associated on the role are driving the craze with BEC. Spammers and generally social engineers are abusing the CEO office by critically analyzing the qualities of the office and taking advantage of the loopholes in the qualities. From our interactions from our clients its indicating the CEO is ‘above the law’. She is allowed to disregard procedures and policies as part of her ‘executing’ roles. She is the ‘Executing Officer’ and no one is supposed to question her.
Secondly, there is always a rumor that CEO has disregarded policy before or even set new ‘policy’ by word mouth or email. There is a client who mentioned that there was a staff who was fired for sticking her ground on policy and disregarding CEO request. The interesting thing is that the provider of the information couldn’t substantiate that but it just shows how grapevine is powerful in a corporate. Picture the image created when you have such rumors going around the organization.
BEC scam shared by one of our clients.
The Social engineers have come to master corporate culture and basically taking advantage of weaknesses in the culture. A junior employee receiving an email from CEO requiring them to do a wire transfer as a matter of urgency looks like a normal case. Well the CEO is ‘allowed’ to abuse policies at will so it’s not anything outside the ordinary. In addition the CEO has so much power that if as an employee you go into her bad books be assured it will work against you. As I keep saying ‘No one wants to be in the bad books of the CEO’. Given the fear created by the position an employee who receives a BEC email will act on it without confirming the legitimacy of the email.
Dealing with this mess
Awareness, awareness, awareness – Create awareness to all staff on the current threats and social engineer tactics so that when (it’s not a matter of ‘if’ it’s about ‘when’) they receive a spear phishing email they will do some due diligence. Confirm the sender’s email corresponds to the purported CEO email address. In most cases the spammer will get the CEO name right but of course the email address will be fake one and will be of a different domain. Others will go a notch higher and get a domain close to the company’s domain. E.g Assuming Linkedln domain is linkedln.com they will generate an email johndoe@linkedIn.com. It will take a very keen eye to notice the difference!!! (Lower case ‘L’ and Capital ‘i”). Other letters that can be easily be interchanged to confuse the eye – o and 0 – firstname.lastname@example.org or m and rn – email@example.com.
Recipient should pick their phone and confirm with the CEO on the requested action/action.
“Don’t let your user betray you for less than 30 pennies”
Kill corporate rumors – Once the corporate turns to be a breeding ground for rumors expect the worst. There are companies that have gone down due to bad publicity emanating from a rumor. Rumors will take precedence over policies making corporate susceptible to BEC Scam.
Skepticism is to be rewarded – It should be Ok to call CEO and confirm why they are requesting for the transfer and why are they not following the correct channels/procedures to do so.
CEO is to be respected but not feared – Mingle with the troops and break those C-suite silos. If CEO is known to be easy and mingles with other employees chances of BEC being successful will be minimized. If CEO is accessible BEC will be a joke to crack with when recipient of phishing email interacts with CEO. BEC is a major problem for corporate where CEO is meant to be feared and those that have let CEO’s immerse so much power that they end up being small gods.
No one is above Company Policy – No one is exempted from Company policy and if there are exceptions (which at times are needed) let them be clearly stated as a policy. If CEO as a matter of urgency needs to release funds let it be put down on the procedure to follow. Ideally CEO shouldn’t be the requester of such requests.
BEC is an attack on human & corporate culture weaknesses which need to addressed so as to combat ever growing form of spear phishing. It goes back to corporate creating awareness to employees and keeping abreast on latest phishing attack and strict adherence to policy – it shouldn’t matter which position you hold in the company.
Credit to our CISO – Kevin Kanyi for his immerse research and contribution on the article.
Co-founder & CEO – Villbo Group Limited