Why go after fish if you can land whales? That’s the driving force behind business email compromise (BEC) scams, also known as CEO fraud or whaling attacks. Instead of casting a wide net of malware-laden emails, attackers craft a legitimate-looking email purportedly from a CEO or other high-ranking C-suite member asking subordinates to perform wire transfers or make payments.
The tactic has diverted more than $2.3 billion to attacker accounts, according to Trend Micro. It’s also worrisome enough to warrant an FBI warning. How do companies make sure regular email reading doesn’t lead to a rip-off?
CEO Fraud Goes Line by Line
Here’s how it works: Attackers do some digging and grab company executives’ basic details and mimic standard company email structure. Next, they take time crafting a convincing message that asks subordinates — often those in HR or with access to financial assets — to send over employee files for review or make a direct funds transfer. In some cases, scammers even have fake lawyers or consultants call the recipient of a CEO fraud email to increase the likelihood of compliance.
Once convinced, the employee either wires money to an overseas account or sends confidential personnel data directly to malicious actors. This leaves employees exposed to long-term fraud and means money is effectively gone for good since it wasn’t stolen but transferred willingly.
While most of the value in BECs comes from direct contact, some also use messages as a vehicle for malware. For example, Softpedia reported that a popular keylogger known as Olympic Vision — available on the Dark Web for just $25 — has been showing up in BEC scams as a file attachment. Once installed, the program mines corporate networks for likely attack targets and collects even more data to make the next whaling attempt a success.
Taking Back the Text
It is possible to recover from a CEO fraud attack. Consider the case of Mattel: The toy-maker lost $3 million last year when attackers used the changeover of CEOs as cover and convinced a financial executive to perform a high-value wire transfer to China, a Softpedia article noted. Luckily, the date of the transfer — May 1 — was a banking holiday in China and was followed by a weekend, giving Mattel time to contact local authorities and recover its money.
Most companies aren’t so lucky. Wire transfer companies aren’t responsible for accidents and don’t offer refunds. Still, there are ways to avoid the sting of CEO fraud. Start with the subject matter of the email itself: Does it seem strange that an executive would ask for a sudden transfer or large volume of employee files, especially coupled with a request for secrecy? It’s also worth looking for email oddities such as excessive formality or odd grammar.
Of course, some companies routinely transfer money and some scammers are excellent wordsmiths. But there’s another way to dodge the harpoon: Ask, ask, ask. If something seems out of place, get phone, text or face-to-face confirmation. If execs understand the need for more communication and recipients are free to ignore requests until they’ve received personal confirmation, the BEC market effectively dries up.
Whalers are on the prowl as malleable prose takes the place of malicious programs. Keeping things personal, however, can help significantly lower the chance of CEO fraud.