May 22, 2017 by

Increase in CEO Fraud

Earlier this week, the FTC released a bulletin [1] warning of an increase in the number of cases involving scammers sending fraudulent emails in which a money transfer is requested. These scams are known under various names, and a typical one is “CEO Fraud”, due to the methodology used. The scammers will pose as a corporate authority, typically the CEO or CFO, and request that a payment be made quickly to pay an invoice or to settle a dispute.

In order to make the email convincing, the scammers do their homework: they leverage all possible avenues of research such as LinkedIn, Facebook, corporate website, and business directories. These are only a few examples of the sources used to collect as much information as possible on the people they will impersonate including the identity of colleagues or third parties. While a “Dear account payable, I spoke with our CFO, please pay $xxxx to some provider now” is not going to cut it, a “Tania, I spoke with Jerry regarding this invoice sent by AnotherCorp. Please make a payment of $xxxxx to their order as soon as possible” looks more convincing.

To further make the scam harder to spot, a domain similar to the real domain is registered: for example, “lifars.com” will be altered to “lifarz.com”, “lifers.com” or “1ifars.com”. While not identical, this is visually close enough that many people will not spot the difference. And the scammers count on the urgency to short-circuit the detail-checking.

This sense of urgency plays an important part in the scam: as for any good magic trick, the important part is to draw the attention away from the details. When confronted to an emergency, many of us will go into a high-speed mode where every second matters, where unneeded corners are cut. We also tend to rely on our beliefs: after all, if the CEO is asking, that must be legit, and who am I to discuss the orders of my boss, right?

The transfer typically goes through a series of money mules. Instead of making the transfer directly to a foreign bank account – for which banks usually ask a different level of validation – local individuals are used to collect the money, and the payment goes to a US bank account. The mule, in turn, takes his or her cut and forward the rest to the next step, which could be another money mule or the scammers themselves. In certain cases, it was also seen that the mules must order certain high value items to be delivered to the scammers: this in effect bypasses some of the checks made to prevent money laundering or the flagging of transactions to suspicious countries.

Regardless of the mode of final delivery, the result is the same, as once the payment is made it is very hard for the victim to claim the money back from the financial institutions. A bank has a duty to honor any instruction issued by an authorized party, and these scams are based on exactly that. In some cases, the financial institution that made the first payment – that is the bank used by the company – can issue a letter to the first destination to inform that the payment was the result of defraudment. That is, unfortunately, not a guarantee that the money will be restituted.

What to look for to avoid being victim to a CEO fraud?

There is no “ultimate guide to avoid being victim to a CEO fraud”, but rather there are a lot of small things that can be done to limit the probability of falling victim to it.

  •  If an email requesting an urgent payment arrives, take things slow;
  •  If the writer says he/she will be unreachable for verification, e.g. traveling  or with poor cell/data coverage, call or mail anyway;
  • Respect your internal procedures: if all payments have to go through specific steps, why would this one be different?
  • The devil is in the detail: in addition to double-checking the email address, was that email received at an unusual time? Or is the style different from the usual style?

On the technical side, it is possible to search for similar domains, that is names that are close to the normal internet name used by the company. When found, some registrants or email hosters will take the fraudulent names down upon notification. Ask us for details.

… and if you are a victim

The obvious is to bring in the lawyers, the authorities and the financial institution as soon as possible. They will require any piece of evidence available, so make sure that none of the emails and communications gets deleted.

Reference

[1] https://www.us-cert.gov/ncas/current-activity/2017/05/16/FTC-Releases-Alert-Fraudulent-Emails

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

APT10 Operation Cloud Hopper Targets MSPs

APT10, a cyber espionage group operating out of China, has been targeting Managed Service Providers...

Read more arrow_forward

The Growing Insider Threat

A security threat originating from within the organization which is targeted or attacked is an...

Read more arrow_forward

The Importance of Memory Forensics

Digital forensics experts who do not use memory forensics are leaving evidence behind. Memory...

Read more arrow_forward