Before you say you’ll never be one of those people who gets suckered into giving money to a Nigerian prince, just know that, a sophisticated version of this phishing email scam took tech giants, Google and Facebook, for over $100 million.
Yes. Google, a seller of security keys marketed as “the strongest, most phishing-resistant authentication factor for high-value users” and Facebook, a survivor of 600,000 cyber attacks every day, gave money to a Nigerian prince.
In this case, to a 40-something Lithuanian man named Evaldas Rimasauskas, who ran a sophisticated CEO fraud scheme, which involved him impersonating a large computer parts manufacturer using fake email addresses, forged corporates stamps, and phony invoices.
It took two years before anyone even discovered that they were being conned.
What Is CEO Fraud?
Also known as Business Email Compromise (BEC), CEO fraud is a phishing email scam in which a fraudster impersonates a high ranking executive and tricks rank and file employees to do something they shouldn’t, such as transfer funds or give out highly sensitive company information.
While it requires complex technical requirements such as fake emails, hoax websites, and tampered invoices to pull off, what CEO fraud really is, is a low tech-high yield scam that relies mostly on social engineering or the manipulation of human behavior.
Just take a look at this real email thread between an unsuspecting employee and a scammer pretending to be her boss. Here the CEO fraudster is using subtle social engineering techniques to convince her to transfer a large sum of money into an unverified account.
- Urgency. The scammer is using language that implies this situation is a matter of priority and should be handled immediately. (e.g., Can you still handle this right now? Can you still get it done today?)
- Trust. The scammer establishes that you’re the only one he trusts who can carry out such an essential and urgent task. (e.g., Are you available to handle an international payment this morning?; Oh ok, please find a way around it, my day is really tied.)
- Authority. The scammer appeals to every employee’s need to prove themselves to their boss, even if that means skipping a security protocol or two in the process. (i.e., Will see what I can do – it’s no trouble as I know I can ask Mary from her home if necessary. Leave it with us.)
With this seemingly benign, business as usual email, the employee fell victim to CEO fraud and wired $30,120 to the scammer.
Types of CEO Fraud
1. The Email From The Boss Email.
Spear phishing scam or whaling, is when a scammer poses as a specific high ranking individual within the company and sends a compromised email to employees who have no choice but to open an email from their boss.
These types of attacks are the hardest to detect because
- You can’t ignore an email from your boss and
- It’s crafted using detailed information from trusted sources such as the company’s website, social media profiles, and news articles.
Typically, this type of email would require an employee for an immediate wire transfer to a new and unverified bank account.
2. The Please Update Or Verify Your Information Email.
These emails are sneaky because it’s written to target a person’s sense of online security. It usually informs the recipient of a problem with an online account as well as a way to solve it. Which generally requires clicking on a link or entering your credentials on a fake website.
For an added push, it also emphasizes that if you don’t do this before the stated deadline, your account may be suspended or deactivated.
3. The Please Accept My Invitation Email.
With its millions of users, LinkedIn is like a phishing email scam target buffet for scammers. All they have to do is send an invite through a fake account to gain access to all information about your professional life.
They can take your information and use it in a slew of scams ranging from harvesting emails to high stakes industrial espionage.
How To Protect Yourself From Email Phishing Scams
Some phishing email scams are so sophisticated that it’s hard to tell what’s real or fake these days. Here are a few tips to help you spot them:
- URLs Have A Misleading Domain Name
- Check the last part of a domain name – it is the most telling. For example, the domain name info.applehats.com is the child domain of applehats.com because applehats.com appears at the end of the domain name on the right hand side. Conversely, applehats.com.maliciousdomain.com could not have come from applehats.com because the reference to applehats.com is on the left side of the domain name.
- Spelling and Grammar Mistakes
- When a large company sends out a message on behalf of their company, the whole messaged is reviewed for errors. If a message has poor spelling and grammar, it probably didn’t come from a department within a major company.
- The Offer Seems Too Good To Be True
- If it seems that way, it most likely is. Watch out for emails from people you don’t know making these hard to believe promises. It’s a scam.
- Email Message Contains A Threat
- On the other side of making big promises, you have phishing email scams that try to scare victims into giving up personal information.
- You’re Asked To Send Money Via Email
- No one should ever ask you to cover expenses or send money via email. If they do, it is probably a scam.
By staying aware, checking the details and looking for things that juuuust aren’t adding up, you can protect yourself and prevent such attacks from happening with you. Check out our article, 7 Ways Your IT Provider Should Be Protecting You Against Ransomware to see if you’re business is protected properly.