Scam Alert: The Email From Your Boss May Be A Scam

Email Scams On The Rise in Miami

Email is a common attack vector used by fraudsters But if you believed that it was only utilized to spread malware, phishing, and Nigerian advance fee scams, think again. There is a new email-driven scam where an attacker will pretend to be your boss, and get you to transfer thousands of dollars of business funds into a bank account they control. [Comment] Do Nigerian Scam Emails Hide A Terrible Secret? [Comment] Another day, another spam email drops in my inbox, somehow working its way around the Windows Live spam filter which does such a good job of shielding my eyes from All the other unsolicited… Read

It’s called CEO Fraud or “Insider Spoofing”.
Understanding The Attack

So, how does the attack work? Well, for an attacker to successfully pull it off, they need to know plenty of information regarding the company they’re targeting.

Much of the information is about the hierarchical Structure of the business or institution they’re targeting. They will need to understand who they will be impersonating. Although this type of scam is known as “CEO fraud”, in reality it targets anybody with a senior role – anybody who would be able to initiate payments. They’ll have to know their name and their email address. It’d also help to understand their schedule, and if they would be travelling, or on vacation.

Finally, They need to know who in the organization is able to issue money transfers, like an accountant or someone in the use of the finance department.

Much Of this information can be freely found on the websites of the business in question. Many medium-and-small size firms have “About Us” pages, where they record their workers, their functions and responsibilities, and their contact information.

Finding someone’s Schedules can be a little bit harder. The vast majority of people do not promote their calendar online. However many people do promote their movements on social media sites, such as Twitter, Facebook, and Swarm (previously Foursquare). An attacker would only have to wait until they have left the office, and they can strike.
Foursquare Relaunches As Discovery Tool According To Your Tastes Foursquare Relaunches As Discovery Tool According To Your Tastes Foursquare pioneered the mobile check-in; a location-based status update that told the world exactly where you were and why – so is the switch to a pure discovery tool a step ahead? Read More

Once The attacker has every bit of the puzzle he wants to conduct the assault, they will then email the finance worker, purporting to be the CEO, and requesting that they initiate a money transfer to a bank account they control.

For It to work, the email must appear genuine. They’ll either use an email account that looks ‘legitimate’ or plausible (by way of example [email protected]), or though ‘spoofing’ the CEO’s real email. This will be where an email is sent with headers that are modified, so the “From:” field contains the CEO’s real email. Some motivated attackers will try to get the CEO to email them so they could replicate the stylings and aesthetics of their email.

The attacker will hope that the fund employee will Be pressured to initiate the transfer without checking first with the targeted executive. 1 company in France that was profiled from the BBC lost 100,000 Euros. The attackers tried to get 500,000 but all but one of those payments were blocked by the bank, who suspected fraud.

Traditional Because of this, you can use technological measures to defeat these attacks. If you become infected with malware, then you can install an anti-virus program. If somebody’s been trying to hack your web server, you can hire someone to perform a penetration test and counsel you on how you can ‘harden’ the device against other attacks.

Social engineering attacks – of that CEO fraud is an example of – are much more difficult to mitigate against, because they’re not attacking hardware or systems. They are attacking people. Rather than exploiting vulnerabilities in code, they make the most of human nature and our instinctive biological imperative to trust other folks. Among the most intriguing explanations of the attack was made at the DEFCON conference in 2013.
What Is Social Engineering? [MakeUseOf Explains] What Is Social Engineering? [MakeUseOf Explains] You can install the The industry’s strongest and most expensive firewall. It is possible to educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server space – but how… Read

Some of the very jaw-droppingly audacious hacks were a product of social engineering.

In 2012, former-Wired journalist Mat Honan found himself under attack by a determined cadre of cyber-criminals, who were determined to dismantle his life. By using social engineering tactics, they were able to convince Amazon and Apple to provide them the information they needed to remotely-wipe his MacBook Air and iPhone, delete his email accounts, and seize his powerful Twitter account to be able to post racial and homophobic epithets. You may read the chilling tale here.

Social Engineering attacks are a new invention. Hackers have been using them for decades so as to gain access to buildings, systems and information for decades. One of the most notorious social engineers is Kevin Mitnick, who at the mid-90’s spent years hiding from the police, after committing a series of computer crimes. He was jailed for five decades, and was prohibited from using a computer until 2003. As hackers go, Mitnick was as close as you could get to having rockstar status. When he was finally permitted to use the world wide web, it was televised on Leo Laporte’s The Screen Savers. The good men — “white-hat hackers” — use hacking to enhance computer security. Meanwhile “black-hat hackers” are the ones who cause all of the trouble, just like those guys.

He He now runs his own computer-security Consultancy firm and has written lots of books about social engineering and hacking. Possibly the most well-regarded is “The Art of Deception”. This is essentially an anthology of short stories that look At how social engineering attacks can be pulled off, and how to protect yourself against them, and is available for purchase at Amazon.

 

Scott Cooper CEO

Leave a Reply

Your email address will not be published. Required fields are marked *