Anatomy of an attack: ‘CEO fraud’ caper nets $450,000

Work and pleasure don't mix: Spear phishers target execs who use personal Gmail interchangeably with 'work' email

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Core find­ing: It has become com­mon­place for senior exec­u­tives to use free Web mail, espe­cial­ly Gmail, inter­change­ably with cor­po­rate email. This has giv­en rise to a type of scam in which a thief manip­u­lates email accounts. The goal: imper­son­ate an author­i­ty fig­ure in order to get a sub­or­di­nate to do some­thing quick­ly, with­out ask­ing ques­tions. The FBI calls this “CEO fraud,” and a surge of these capers has result­ed in scam­mers steal­ing a stun­ning $750 mil­lion from more than 7,000 U.S. com­pa­nies from Octo­ber 2013 through August 2015. In this spe­cif­ic attack, the scam­mer tar­gets an attor­ney from a big city in the northeast.

anatomy of attack series_Eduard GoodmanAttack vec­tor: The scam­mer gath­ers intel­li­gence about real estate trans­ac­tions han­dled by the attor­ney and drills down on a spe­cif­ic deal in which the law firm is han­dling the pur­chase of a $450,000 home for a client. The scam­mer learns this attor­ney is in the habit of using his per­son­al Gmail account inter­change­ably with his law firm’s email. As the trans­ac­tion approach­es the final step, the attorney’s para­le­gal receives a spoofed email that appears to come from her boss. She instant­ly fol­lows a direc­tive to can­cel a check for $450,000 that she is about to mail, and instead wires the funds into an account des­ig­nat­ed by the scammer.

More video: Scam­mers exploit trust in Google’s platform

Dis­tinc­tive tech­nique: The funds ini­tial­ly get rout­ed to anoth­er law firm in the south­west. A sub­or­di­nate in this law firm also appears to have been spoofed by the scam­mer to be pre­pared to move funds once again, this time into an account set up in a U.S. branch office of Sum­it­o­mo Bank, a giant glob­al insti­tu­tion with head­quar­ters in Tokyo. “At this point, it is not like­ly the $450,000 will ever be recov­ered,” says IDT911 Chief Pri­va­cy Offi­cer Eduard Good­man. “Once a trans­fer like this is made, you can’t real­ly unring that bell.”

Wider impli­ca­tions: U.S. con­sumers are well pro­tect­ed by fed­er­al law and banks usu­al­ly will reim­burse indi­vid­ual con­sumers vic­tim­ized by cyber crim­i­nals. How­ev­er, banks are under no legal oblig­a­tion to offer any relief to busi­ness­es, large or small, that have been tricked like this. The lion’s share of the $750 mil­lion lost in doc­u­ment­ed cas­es of CEO fraud has most like­ly been absorbed by the duped busi­ness entities.

Info­graph­ic: More Amer­i­cans liv­ing with data insecurity

Excerpts from ThirdCertainty’s inter­view with Good­man. (Answers edit­ed for length and clarity.)

3C: Busi­ness­es are los­ing one heck of a lot of mon­ey to CEO fraud.

Eduard Goodman, IDT911 chief privacy officer
Eduard Good­man, IDT911 chief pri­va­cy officer

Good­man: Yeah, absolute­ly. This one was for about $450,000. There is anoth­er woman with a bal­let com­pa­ny who recent­ly lost about $100,000. It’s sig­nif­i­cant chunks, let’s put it that way. And because this is hap­pen­ing in a busi­ness set­ting, it’s a lit­tle bit dif­fer­ent in that your bank won’t stand behind you. It’s caveat emp­tor. There is no con­sumer pro­tec­tion. When some­thing like this hap­pens to your busi­ness you’re out of luck.

3C: Why aren’t sus­pi­cious trans­ac­tions flagged more often?

Good­man: The gov­ern­ment will tend to go after com­pa­nies for any­thing that may

have to do with con­sumer vio­la­tions. But when busi­ness­es impact oth­er busi­ness­es, the gov­ern­ment doesn’t do a damn thing, even if the vic­tim is a real­ly small busi­ness and they’re essen­tial­ly con­sumers in and of them­selves. Banks have that unfair advan­tage to say, ‘Well, sor­ry, should have flagged it, but we just process it for you.’

3C: So by using free Web mail this attor­ney sort of invit­ed spoofing?

Good­man: He kind of comin­gled accounts, that’s the thing. He had his law firm’s email, and he also had a per­son­al Gmail account. He would send emails from both accounts. That is some­thing that has become a very com­mon prac­tice. He prob­a­bly had pre­vi­ous­ly emailed him­self some­thing from his actu­al work account into his Gmail account. This scam­mer prob­a­bly got into his Gmail account, and then made the con­nec­tion to his law firm account.

Then it was off to the races. The para­le­gal gets the wire trans­fer request from an email that’s very close to an authen­tic law firm email except there’s an extra let­ter in the domain name. It looks very credible.

3C: Could this have been avoided?

Good­man. Yes, by tak­ing the extra 45 sec­onds to make a phone call. Pick up the phone and ver­i­fy things instead of get­ting caught up in the workday.