Advanced Phishing Scam Targets CEOs, CFOs, for Phony Cash Transfers
According to Becce, the way this whole thing unfolds is "scary." What especially worried Becce is the amount of research that was involved in sending the phishing email. "They must have done some kind of background research," he said. "They knew the kinds of funds that we dealt with."
Becce said that he'd recently been talking with one of his clients, Stu Sjouwerman, about the scam and that he'd discussed it with his wife only a couple of days before they'd received the email. Sjouwerman, who runs security training company KnowBe4, said that he's seeing this particular scam frequently in recent days.
The messages all show a common high level of social engineering. They all show that the person or group who sent out the email has gone to enough trouble to learn who the company's CEO is and to learn who is in charge of making payments because the email is specifically addressed to that person.
They also spoof the CEO's email address. In addition, they frequently wait until the CEO is away on business travel making it more likely that such a request would be sent by email and be harder to verify.
Fortunately, there are a few things you and your staff can do to keep this from happening. The first is to implement requirements for approval before large payments are processed and paid. While the size of what constitutes a large payment will differ according to the company, there should be some level that will trigger a confirmation request.
But it's important that the confirmation not come by simply replying to the email. In these scams the "ReplyTo:" addresses are set to go back to the scammer. Instead, you should insist on verbal communications or at least some method besides email.
It also helps to instill a certain level of suspicion into the folks in the accounting department. Requests for expedited payment and confidentiality should be red flags, and should generate a call for confirmation. While it's true that some disbursements do require a fast response and some level of discretion, it's highly unlikely to require speed such that someone can't make a quick phone call.
The notice from the FS-ISAC in the link above gives a series of recommended steps that you should review, including a requirement for a second signature on large payments and a means of communicating with your bank when large payments are requested.
Ultimately, however, your accounting department is your first line of defense. They need to be aware that this scam exists and that it's going to ask for money with a minimum of interaction with the rest of the company.
"The problem with phishing attacks like this is that it manipulates the normal command channels in an organization, using almost perfect looking spoofed emails from the CEO," Sjouwerman said. "The bad guys prey on this, and use it over and over. Employees need to stay on their toes with security top of mind to stop extremely expensive scams like this. Security awareness training is a must these days."
Editor's Note: This article was updated to correct the spelling of the name of Stu Sjouwerman, CEO of security training firm KnowBe4.