Detecting business e-mail compromise – and other treasury-targeted frauds

Business e-mail compromise (BEC) is a very real threat, which could lead businesses to inadvertently give away sizeable sums of money to fraudsters. While phishing e-mails have been used to target anyone and everyone since e-mail became a standard form of communication, BEC is much more professional and difficult to spot – it is targeted at companies with foreign suppliers or who regularly perform wire transfer payments – and it often goes undetected by spam filters.

The scale of the threat is exemplified in the recent arrest of a Nigerian cybercriminal heading a network behind global scams worth more than US$60m (£45m). Headed by a man known only as “Mike”, the network used BEC to coordinate huge sophisticated attacks, and according to the same report, in one particular case a particularly gullible target was conned into paying out more than £11m.

One way that a sum this astronomical can be extracted from employees is by using chief executive officer (CEO) fraud e-mails, in which a scammer impersonates a CEO or other senior figure to get them to pay out. Unlike impersonating a friendly Nigerian Prince, this technique is very likely to gain the trust of unsuspecting office workers, and persuade them that the e-mail is nothing more than a request for a regular business transaction.

Treasury and other financial staff are a prime target for this fraud technique because of they have the authority to set up payments and often have access to key financial data. Unlike mass spam emails, attackers will chose a specific target before sending them an e-mail purporting to be from the company’s CEO or another senior executive – someone important enough for the target to feel very reluctant about not instantly obeying their request.

The e-mail will generally ask for sensitive information or money to be transferred, and may also attempt to get the target to download a malicious file. Getting the right name and address of the CEO or key person to impersonate has never been simpler for cybercriminals, because they can use LinkedIn or other popular, professional social networking sites to harvest this readily available information.

Spot the difference

For those who are keeping track of the cyber-attacks as they happen, it is easy to see that these CEO fraud e-mails are increasingly well co-ordinated campaigns, with the same emails hitting different companies. One example of a real scan e-mail is included below, with the names and addresses changed.

email scam

Reading this e-mail, it is clear that the scammers are using psychological manipulation to unconsciously trick their victims into complying. The request for payment is urgent, and the message is short. Additionally, the victim is prevented from contacting their boss on the phone to verify the request, as they claim to be in a meeting. Even if this request seems a bit unusual, an apparently urgent e-mail from the boss will likely have many employees rushing to comply.

One indication that the email is a scam, which you might notice when you went to reply, is that the Reply address is different to the From address.

email scam i

While this CEO scam was indirect and very subtle, the email below is an example of a more direct approach. This scammer is after cash, and has provided the target with all the necessary details to complete the transaction outright. As with the first example, this email appears to be sent from the CEO. It is likely to be the result of an e-mail thread backwards and forwards between the fraudster and the victim.

email scam ii

Recently, attachments containing malware have been attached to fraudulent e-mails. These emails will include a PDF document with an image asking you to update your application. Clicking on this image will take you to Dropbox, which will prompt you to download a malicious data stealing executable. Although most professionals hopefully have enough cyber-security awareness to prevent them downloading attachments from strange e-mail addresses, combining this e-mail malware with CEO fraud makes it much more credible.

email scam iii

Passing the e-mail gateway

Since CEO fraud emails are targeted and of low volume rather than mass-produced generic spam, they are likely to sneak into your inbox even with spam filters in place. However, it is still possible to employ a number of options to provide protection at the email gateway, and keep companies safe from these clever scams.

Errors in the domain name

In order to fool you into believing that their emails are from your boss, fraudsters will use a domain name as close as possible to that of your company. However, they obviously can’t use a domain which is exactly the same, and the one used by the scammer will be slightly misspelt. Usually, this change is only off by one character.

From: “CEO Name” <ceo.email.address@examplle.com>

How can I ensure my e-mail gateway prevents fraudulent emails entering my inbox?

To identify these misspellings, you can apply regular expressions to the From: line of your inbox.

Below, I have detailed two regular expressions which you can use to stop CEO fraud scammers, and phishing scams more generally. They have been created for the domain example.com, but you can copy the pattern and apply it to your own domain name. The regexes also assume for efficiency that the first character is never changed, which is a fairly safe assumption as otherwise the domain would not look similar enough.

1. Character Substitution Regex

This expression identifies a domain where one of the letters in the domain has been replaced. It works
by checking each letter for substitution (for instance [^m] means “any letter but m”).
@e(?:[^x]ample|x[^a]mple|xa[^m]ple|xam[^p]le|xamp[^l]e|xampl[^e])\.com

Character Addition Regex

This expression identifies a domain part where a character has been added. It works by matching even if
a single extra character has been added between each pair of letters [.?].

2. Unrelated From Address, but CEO name in From line.

This is where the CEO’s name will appear in the From “real name” area in the From line (perhaps also with the CEO’s email address). However, the actual From: address is unrelated.

From: “CEO Name” <address@unrelated-domain.com>

Or

From: “ceo.email.address@example.com” <address@unrelated-domain.com>

To identify this sort of attack, header regular expressions can be used to look for the CEO’s name or email address in the From line, and combine it with an inbound rule. The secure email gateway has the concept of inbound message, where the message is addressed to a local recipient. At the email gateway, CEOs should typically not be sending inbound mail, they should only be sending outbound mail. The regex can be fairly simple, like the one below.

CEO\sName|ceo\.email.address@example\.com

Employee awareness

Although using software and coding is obviously important, it is vital that employees are made aware of this type of email scam and educated on the misspellings in the addresses and warning signs in the content of the email which could indicate that the email is fraud. Additionally, companies must have clear policies in place about how sensitive information is handled and payments are verified, particularly over email. Having policies ‘set in stone’ and having a computer programme flag a suspicious email, will hopefully give staff the confidence to handle suspicious requests with caution, questioning their superiors rather than simply complying for the sake of easiness.

1311 views

Related reading

Tags: