April 18, 2016 By Douglas Bonderud 2 min read

Why go after fish if you can land whales? That’s the driving force behind business email compromise (BEC) scams, also known as CEO fraud or whaling attacks. Instead of casting a wide net of malware-laden emails, attackers craft a legitimate-looking email purportedly from a CEO or other high-ranking C-suite member asking subordinates to perform wire transfers or make payments.

The tactic has diverted more than $2.3 billion to attacker accounts, according to Trend Micro. It’s also worrisome enough to warrant an FBI warning. How do companies make sure regular email reading doesn’t lead to a rip-off?

CEO Fraud Goes Line by Line

Here’s how it works: Attackers do some digging and grab company executives’ basic details and mimic standard company email structure. Next, they take time crafting a convincing message that asks subordinates — often those in HR or with access to financial assets — to send over employee files for review or make a direct funds transfer. In some cases, scammers even have fake lawyers or consultants call the recipient of a CEO fraud email to increase the likelihood of compliance.

Once convinced, the employee either wires money to an overseas account or sends confidential personnel data directly to malicious actors. This leaves employees exposed to long-term fraud and means money is effectively gone for good since it wasn’t stolen but transferred willingly.

While most of the value in BECs comes from direct contact, some also use messages as a vehicle for malware. For example, Softpedia reported that a popular keylogger known as Olympic Vision — available on the Dark Web for just $25 — has been showing up in BEC scams as a file attachment. Once installed, the program mines corporate networks for likely attack targets and collects even more data to make the next whaling attempt a success.

Taking Back the Text

It is possible to recover from a CEO fraud attack. Consider the case of Mattel: The toy-maker lost $3 million last year when attackers used the changeover of CEOs as cover and convinced a financial executive to perform a high-value wire transfer to China, a Softpedia article noted. Luckily, the date of the transfer — May 1 — was a banking holiday in China and was followed by a weekend, giving Mattel time to contact local authorities and recover its money.

Most companies aren’t so lucky. Wire transfer companies aren’t responsible for accidents and don’t offer refunds. Still, there are ways to avoid the sting of CEO fraud. Start with the subject matter of the email itself: Does it seem strange that an executive would ask for a sudden transfer or large volume of employee files, especially coupled with a request for secrecy? It’s also worth looking for email oddities such as excessive formality or odd grammar.

Of course, some companies routinely transfer money and some scammers are excellent wordsmiths. But there’s another way to dodge the harpoon: Ask, ask, ask. If something seems out of place, get phone, text or face-to-face confirmation. If execs understand the need for more communication and recipients are free to ignore requests until they’ve received personal confirmation, the BEC market effectively dries up.

Whalers are on the prowl as malleable prose takes the place of malicious programs. Keeping things personal, however, can help significantly lower the chance of CEO fraud.

More from

Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased?

3 min read - IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing,…

Mobile device security: Why protection is critical in the hybrid workforce

4 min read - In our mobile-first/mobile-last world, many employees’ work days both start and end on a mobile device. Mobile devices are now essential tools for productivity and communication. As many organizations transition to hybrid work environments, mobile devices offer a rich target for malicious actors because they are often the least protected corporate devices and offer platforms from which to launch social engineering attacks.Unlike traditional computers, which are generally well-defended with antivirus software and cybersecurity protocols, mobile devices are frequently left vulnerable…

Abusing MLOps platforms to compromise ML models and enterprise data lakes

15 min read - For full details on this research, see the X-Force Red whitepaper “Disrupting the Model: Abusing MLOps Platforms to Compromise ML Models and Enterprise Data Lakes”.Machine learning operations (MLOps) platforms are used by enterprises of all sizes to develop, train, deploy and monitor large language models (LLMs) and other foundation models (FMs), as well as the generative AI (gen AI) applications built on top of these models. The rush to leverage AI throughout enterprises has meant that security has been often…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today