Security Awareness TrainingCEO Email Scams
A key component of security in the digital age is awareness. Often, it is not the technology that presents the biggest vulnerabilities to scammers and criminals, it is users. This is the principle that the classes of attacks known as "phishing" and "social engineering" are based on.
A keystone of "social engineering" attacks is the exploitation of trust. The attacker will pose as someone in a position of authority, or posessing some knowledge that grants them credibility. They will then use this false credibility to gain access and information from others who are deceived by their trick.
CEO Email Scam
The CEO Email Scam is an example of a social engineering attack. First, the attacker researches the company's corporate structure and identifies the name and email address of the CEO as well as those of an employee in charge of finances. Then, either by gaining access to the CEO's email account or (more commonly) by spoofing her email address the perpertrator sends an email requesting funds be sent to a supposed client or vendor bank account. Of course, the account is owned by the attacker.
Because of the direct nature of this attack it is not caught by spam filters. By all appearances, it is legitimate. Desiring not to inconvenience their boss, the target employee will often quickly comply.
Brian Krebs, a well known security researcher and journalist writes an excellent article on this tact and cites some examples of large, well-known companies who have fallen for this scam at a shocking cost.
Avoidance
As with all social engineering scams, awareness is important. We also recommend establishing a policy of requiring a second confirmation of significant transactions via direct phone call. For example, if Bob receives an email allegedly from his CEO Alice to transfer funds, Bob might call Alice on her cell phone to verify.
Because the nature of social engineering scams is to simulate reality so as to exploit trust, they are difficult to identify using spam filters or other automated tools. We must rely on the users to be astute and cautious.
← Return
