Anatomy of an attack: ‘CEO fraud’ caper nets $450,000
Work and pleasure don't mix: Spear phishers target execs who use personal Gmail interchangeably with 'work' email
By Byron Acohido, ThirdCertainty
Core finding: It has become commonplace for senior executives to use free Web mail, especially Gmail, interchangeably with corporate email. This has given rise to a type of scam in which a thief manipulates email accounts. The goal: impersonate an authority figure in order to get a subordinate to do something quickly, without asking questions. The FBI calls this “CEO fraud,” and a surge of these capers has resulted in scammers stealing a stunning $750 million from more than 7,000 U.S. companies from October 2013 through August 2015. In this specific attack, the scammer targets an attorney from a big city in the northeast.
Attack vector: The scammer gathers intelligence about real estate transactions handled by the attorney and drills down on a specific deal in which the law firm is handling the purchase of a $450,000 home for a client. The scammer learns this attorney is in the habit of using his personal Gmail account interchangeably with his law firm’s email. As the transaction approaches the final step, the attorney’s paralegal receives a spoofed email that appears to come from her boss. She instantly follows a directive to cancel a check for $450,000 that she is about to mail, and instead wires the funds into an account designated by the scammer.
More video: Scammers exploit trust in Google’s platform
Distinctive technique: The funds initially get routed to another law firm in the southwest. A subordinate in this law firm also appears to have been spoofed by the scammer to be prepared to move funds once again, this time into an account set up in a U.S. branch office of Sumitomo Bank, a giant global institution with headquarters in Tokyo. “At this point, it is not likely the $450,000 will ever be recovered,” says IDT911 Chief Privacy Officer Eduard Goodman. “Once a transfer like this is made, you can’t really unring that bell.”
Wider implications: U.S. consumers are well protected by federal law and banks usually will reimburse individual consumers victimized by cyber criminals. However, banks are under no legal obligation to offer any relief to businesses, large or small, that have been tricked like this. The lion’s share of the $750 million lost in documented cases of CEO fraud has most likely been absorbed by the duped business entities.
Infographic: More Americans living with data insecurity
Excerpts from ThirdCertainty’s interview with Goodman. (Answers edited for length and clarity.)
3C: Businesses are losing one heck of a lot of money to CEO fraud.
Goodman: Yeah, absolutely. This one was for about $450,000. There is another woman with a ballet company who recently lost about $100,000. It’s significant chunks, let’s put it that way. And because this is happening in a business setting, it’s a little bit different in that your bank won’t stand behind you. It’s caveat emptor. There is no consumer protection. When something like this happens to your business you’re out of luck.
3C: Why aren’t suspicious transactions flagged more often?
Goodman: The government will tend to go after companies for anything that may
have to do with consumer violations. But when businesses impact other businesses, the government doesn’t do a damn thing, even if the victim is a really small business and they’re essentially consumers in and of themselves. Banks have that unfair advantage to say, ‘Well, sorry, should have flagged it, but we just process it for you.’
3C: So by using free Web mail this attorney sort of invited spoofing?
Goodman: He kind of comingled accounts, that’s the thing. He had his law firm’s email, and he also had a personal Gmail account. He would send emails from both accounts. That is something that has become a very common practice. He probably had previously emailed himself something from his actual work account into his Gmail account. This scammer probably got into his Gmail account, and then made the connection to his law firm account.
Then it was off to the races. The paralegal gets the wire transfer request from an email that’s very close to an authentic law firm email except there’s an extra letter in the domain name. It looks very credible.
3C: Could this have been avoided?
Goodman. Yes, by taking the extra 45 seconds to make a phone call. Pick up the phone and verify things instead of getting caught up in the workday.