Pinterest Stumbleupon Whatsapp
Ads by Google

Email is a common attack vector used by fraudsters and computer criminals. But if you thought that it was only used to spread malware, phishing, and Nigerian advance fee scams Do Nigerian Scam Emails Hide A Terrible Secret? [Opinion] Do Nigerian Scam Emails Hide A Terrible Secret? [Opinion] Another day, another spam email drops into my inbox, somehow working its way around the Windows Live spam filter that does such a good job of protecting my eyes from all of the other unsolicited... Read More , think again. There’s a new email-driven scam where an attacker will pretend to be your boss, and get you to transfer thousands of dollars of company funds into a bank account they control.

It’s called CEO Fraud, or “Insider Spoofing”.

Understanding The Attack

So, how does the attack work? Well, for an attacker to successfully pull it off, they need to know a lot of information about the company they’re targeting.

Much of this information is about the hierarchical structure of the company or institution they’re targeting. They’ll need to know who they’ll be impersonating. Although this type of scam is known as “CEO fraud”, in reality it targets anyone with a senior role – anyone who would be able to initiate payments. They’ll need to know their name, and their email address. It’d also help to know their schedule, and when they’d be travelling, or on vacation.


Finally, they need to know who in the organization is able to issue money transfers, such as an accountant, or someone in the employ of the finance department.

Ads by Google

Much of this information can be freely found on the websites of the company in question. Many medium-and-small size companies have “About Us” pages, where they list their employees, their roles and responsibilities, and their contact information.

Finding someone’s schedules can be a little bit harder. The vast majority of people don’t publicize their calendar online. However, many people do publicize their movements on social media sites, like Twitter, Facebook, and Swarm (formerly Foursquare) Foursquare Relaunches As Discovery Tool Based On Your Tastes Foursquare Relaunches As Discovery Tool Based On Your Tastes Foursquare pioneered the mobile check-in; a location-based status update that told the world exactly where you were and why – so is the switch to a pure discovery tool a step forward? Read More . An attacker would only need to wait until they’ve left the office, and they can strike.

Once the attacker has every piece of the puzzle he needs to conduct the attack, they will then email the finance employee, purporting to be the CEO, and requesting that they initiate a money transfer to a bank account they control.

For it to work, the email has to look genuine. They’ll either use an email account that looks ‘legitimate’ or plausible (For example, or though ‘spoofing’ the CEO’s genuine email. This will be where an email is sent with modified headers, so the “From:” field contains the CEO’s genuine email. Some motivated attackers will attempt to get the CEO to email them, so they can duplicate the stylings and aesthetics of their email.

The attacker will hope that the finance employee will be pressured to initiate the transfer without checking first with the targeted executive. This bet often pays off, with some companies having unwittily paid out hundreds of thousands of dollars. One company in France which was profiled by the BBC lost 100,000 Euros. The attackers tried to get 500,000, but all but one of the payments were blocked by the bank, who suspected fraud.

How Social Engineering Attacks Work

Traditional computer security threats tend to be technological in nature. As a result, you can employ technological measures to defeat these attacks. If you get infected with malware, you can install an anti-virus program. If someone’s been trying to hack your web server, you can hire someone to perform a penetration test and advise you on how you can ‘harden’ the machine against other attacks.

Social engineering attacks What Is Social Engineering? [MakeUseOf Explains] What Is Social Engineering? [MakeUseOf Explains] You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room - but how... Read More – of which CEO fraud is an example of – are a lot harder to mitigate against, because they’re not attacking systems or hardware. They’re attacking people. Rather than exploiting vulnerabilities in code, they take advantage of human nature, and our instinctive biological imperative to trust other people. One of the most interesting explanations of this attack was made at the DEFCON conference in 2013.

Some of the most jaw-droppingly audacious hacks were a product of social engineering.

In 2012, former-Wired journalist Mat Honan found himself under attack by a determined cadre of cyber-criminals, who were determined to dismantle his online life. By using social engineering tactics, they were able to convince Amazon and Apple to provide them the information they needed to remotely-wipe his MacBook Air and iPhone, delete his email account, and seize his influential Twitter account in order to post racial and homophobic epithets. You can read the chilling tale here.

Social engineering attacks are hardly a new innovation. Hackers have been using them for decades in order to gain access to systems, buildings and information for decades. One of the most notorious social engineers is Kevin Mitnick, who in the mid-90’s spent years hiding from the police, after committing a string of computer crimes. He was jailed for five years, and was prohibited from using a computer until 2003. As hackers go, Mitnick was as close as you could get to having rockstar status 5 Of The World's Most Famous Hackers & What Happened To Them 5 Of The World's Most Famous Hackers & What Happened To Them The term "hacker" originally referred to the coders who held absolutely no malevolent connotations. Only recently has the term been used to refer primarily to criminal masterminds. In this article, we will be talking specifically... Read More . When he was finally allowed to use the Internet, it was televised on Leo Laporte’s The Screen Savers.

He eventually went legit. He now runs his own computer-security consultancy firm, and has written a number of books about social engineering and hacking. Perhaps the most well-regarded is “The Art of Deception”. This is essentially an anthology of short stories that look at how social engineering attacks can be pulled off, and how to protect yourself against them How To Protect Yourself Against Social Engineering Attacks How To Protect Yourself Against Social Engineering Attacks Last week we took a look at some of the main social engineering threats that you, your company or your employees should be looking out for. In a nutshell, social engineering is similar to a... Read More , and is available for purchase at Amazon.

The Art of Deception: Controlling the Human Element of Security The Art of Deception: Controlling the Human Element of Security New Buy Now At Amazon £4.80

What Can Be Done About CEO Fraud?

So, let’s recap. We know that CEO Fraud is awful. We know it’s cost a lot of companies a lot of money. We know it’s incredibly hard to mitigate against, because it’s an attack against humans, not against computers. The last thing left to cover is how we fight against it.

This is easier said than done. If you’re an employee and you’ve received a suspicious payment request from your employer or boss, you might want to check in with them (using a method other than email) to see whether it was genuine. They might be a bit annoyed with you for bothering them, but they’ll probably be more annoyed if you ended up sending $100,000 of company funds to a foreign bank account.


There are technological solutions that can be used, too. Microsoft’s upcoming update to Office 365 will contain some protections against this type of attack, by checking the source of each email to see whether it came from a trusted contact. Microsoft reckons that they’ve achieved a 500% improvement in how Office 365 identifies counterfeit or spoofed emails.

Don’t Be Stung

The most reliable way to protect against these attacks is to be skeptical. Whenever you get an email that asks you to make a large money transfer, call up your boss to see if it’s legit. If you have any sway with the IT department, consider asking them to move to Office 365 An Introduction to Office 365 -- Should You Buy Into the New Office Business Model? An Introduction to Office 365 -- Should You Buy Into the New Office Business Model? Office 365 is a subscription based package that offers access to the latest desktop Office suite, Office Online, cloud storage, and premium mobile apps. Does Office 365 provide enough value to be worth the money? Read More , which is leading the pack when it comes to fighting CEO Fraud.

I certainly hope not, but have you ever been victim to a money-motivated email scam? If so, I want to hear about it. Drop be a comment below, and tell me what went down.

Photo Credits: AnonDollar (Your Anon), Miguel The Entertainment CEO (Jorge)

  1. Nesi Mesman
    August 2, 2016 at 7:46 pm

    We just had this happen today, and our IT person referred us to your article.

    Thank you, for the information.

  2. Edward
    January 23, 2016 at 12:11 am

    Wow, could you shill any harder for Microsoft?

    • Matthew Hughes
      January 23, 2016 at 12:18 am

      I could, but they'd have to pay me.

  3. Sacha
    January 21, 2016 at 9:36 pm

    That's very interesting, thanks for the article.

    • Matthew Hughes
      January 21, 2016 at 10:12 pm

      Happy to help Sacha!

Leave a Reply

Your email address will not be published. Required fields are marked *