- February 10, 2016
- Info notes
"CEO Fraud", also known as "Business email compromise" (BEC) is a type of scam that seems to have caused a €70M loss in January for a Belgian bank. While the practice has so far seldom been made public in Europe, the FBI estimates that BEC caused more than $1.2 billion globally.
This note explains how the fraud works, and provides recommendations on how to protect against it.
At heart, BEC is a social engineering tactic. The goal for the fraudsters is to impersonate an executive of a company and order the finance department to wire money to the attackers.
For the attack to be effective, the scammers need to profile their target:
- The business of the company. Typical targets are companies that routinely wire big amounts of money to offshore accounts. Banks are a good example, but also manufacturing companies that buy their materials in bulk from foreign suppliers.
- The names of the executives of the company. The attackers count on the authority of the executive they are going to impersonate to minimise control and questions by the subordinates who will get the email. Typical targets are Chief Executive Officers (CEO) or Chief Finance Officers (CFO).
- The names of the people in charge of actually wiring money. CEOs and CFOs now rarely handle money themselves, but rely on financial assistants and accountants to perform payments. The attackers need to know their names to make the email as convincing as possible.
- When the executives will be away. The attackers rely on the executive being out of the office to reduce the impact of any control procedures that might be in place, and to justify the potentially unusual request by mail.
Attackers can get this information mostly from public sources. Professional social networks like LinkedIn make it easy to find who is working for a company, and in what capacity. Press releases, conference agenda, out-of-office messages, and other social networks can all be used to learn when key people will be away. There is also the possibility of hacking into the systems of the company, and observe the situation from the inside.
From then on, attackers can use two ways forward. The easiest is that the fraudsters register a domain name that looks a lot like the one of their target. The harder, but even more effective way, is to hack an executive's email account. Posing as an executive who is currently out of the office, they send an email to the financial assistant. The email orders the assistant to wire a large amount of money to an offshore account. When the company realises that the email was a fraud, the money is out of reach.
How to avoid BEC
Since BEC is a high-impact social engineering attack, education and adequate controls remain the most effective countermeasure.
Users need to be able to identify suspect emails. In another case, despite noticing the unusual tone of the email was different from what the executive usually employed, an assistant sent the money order. Had the assistant been aware of the existence of BEC, she would probably not have sent it. Companies should develop policies to train their employees in recognising fraudulent emails, and increase their awareness of social engineering attacks.
Without compromising the efficiency of their business, companies need to set up effective control procedures, like double signatures, telephone confirmations, etc. All executives should have a backup that can confirm the need for payment.
Finally, given that this specific attack depends on certain information being made public, discretion is advised. While it is hard to hide the names of executives, whose name is often a matter of public record, their absence need not be advertised on public web sites or fora.
There are few effective technical countermeasure. One is the configuration of out-of-office messages: instead of sending to all and sundry, it is now possible to send them only to colleagues and/or registered contacts. The other is the mandatory use of electronic signatures of emails for such money orders.
Business email compromise is a threat that causes significant losses. Companies need to take it into account, and take the necessary steps to protect against it. These steps are mostly organisational and educational in nature.
About "Info Notes" from ENISA
With the "Info Notes" series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the "Info Notes" series (firstname.lastname@example.org).