If you take one thing out of this blog, be sure to inform your CFO and CEO about an advanced Phishing scam going around that targets CFO’s and CEO’s for Wire Transfers. I know, how can anyone perform a wire transfer without actually knowing who they are transferring information to? Well, this is where it gets interesting.
In a lot of companies, the CEO is extremely busy and the CFO is twice as busy. When the CEO says “Take care of this,” everyone generally takes care of it. Sometimes the CEO will send an email to the CFO asking them to take care of financial business (i.e Cut a check, Wire transfer, etc.). Usually the CFO takes care of it as part of normal business with little or no questions asked. This is where the Phishing Scam comes in.
Now let me clarify something here, this is not your systems being hacked. This is not your antivirus software falling short and not detecting a virus or malware. This is not your IT department configuring your firewall wrong and letting ports open to your internal network from the Internet. This is social engineering at its finest, including proper verbiage with some technology sprinkled in just right. Phishing is the attempt to acquire sensitive information such as usernames, passwords, credit card details, and money, often for malicious reasons by masquerading as a trustworthy entity in an electronic communication.
The targeted Phishing attack starts by identifying the CEO and CFO. Take note that other C-level execs can be targeted but for this to work, they need to target the person (or persons) who can perform the wire transfers. Who the C-level people are is widely available on most company websites such as LinkedIn, Facebook, etc. giving their full name and possible contact information. If contact information is not on the website, it can easily be found. By the way, don’t kid yourself, security by obscurity doesn’t work. If you have an email address, you can be found. Once they find your email, they can confirm it’s valid. Again, another easy task that you will not notice.
The Phishers will then register a domain very similar to the primary email domain being used by your company. An example of this would be, if your primary email domain is franklinconstructioncompany.com, they will register franklincontructioncompany.com (no S in construction) or franklinconstructoncompany.com (no I in construction). They will then create an email address for that domain identical to the CEO’s email. The Phishers can now send emails to the real CFO’s email address at the real domain and it will look very much like it is coming from the CEO. Even if you hover over the email address for the source, it will show the domain that was registered.
Here is the best part, if the CFO responds to the email, the Phisher can respond back giving the CFO further information like bank account numbers, amounts, etc. But wait…there’s even more… If your CEO puts on his Out of Office notifications and they are enabled to go outside of your email organization when he/she is out of the office, most likely the attempt will be when the CEO is on the road and will most likely say, “Sent from my iPad” or Sent from my Verizon phone.” This will just add legitimacy to the request.
Ok, so you spent money on antivirus software, firewalls, security scans, etc. What can you do now? One word… EDUCATION. This is where most companies fall short. Social engineering is only successful if the person being targeted is not educated in the threats of social engineering. Make sure your employees and especially anyone handling financial data is educated in how to protect data and handle incoming requests for payment and information. For this specific iteration of Phishing, make sure all your C-level execs are aware and educated.
A good practice for wire transfers would be to put a process in place as to where the requesting party and the performing party have to talk with each other to confirm the wire transfer request. If you insist on using email for requests/approvals between the CEO and CFO, come up with a pass phrase that has to be in the email body to confirm the request is real. IE “Chart House Steaks are good.”
Ladies and gentlemen, this is no longer the Arabian Prince emails sent to millions of people, that you can spot a mile away, asking for a money order or wire transfer. Phishers are now using proper spelling and grammar, registering domains and setting up email services to target specific contacts. This is one of many targeted attacks coming your way. Be prepared and educate your company on social engineering and phishing attacks.
Beringer Associates is always here to provide you with expert knowledge on topics like these. For more information on how you can educate your organization, feel free to contact Beringer, a Microsoft Gold Certified Partner.