blog / Apr 20, 2017

Executive Impersonation Fraud Is on the Rise—and It Is Working

by Mike Levin, Center for Information Security Awareness

Mike Levin

In 2007, Michael Levin retired from the United States Department of Homeland Security after a distinguished thirty-year career in law enforcement. Michael served at the Department of Homeland Security as the Deputy Director of the National Cyber Security Division. Michael previously served as the Branch Chief of the U.S. Secret Service Electronic Crimes Task Force program in Washington DC. Michael was a member of the Secret Service Electronic Crimes Special Agent program and worked around computer forensics and cybercrime investigations for over fifteen years. After this distinguished career and seeing the need, Michael founded the Center for Information Security Awareness. The CFISA (cfisa.org) brought together a group of leading academics, security and fraud experts to explore ways to increase security awareness among many audiences, including consumers, employees, businesses and law enforcement.


Executive impersonation scams are on the rise, costing businesses billions of dollars annually. Organizations of all sizes can be targeted and fall victim to these crimes. Understanding how these crimes are committed and the numerous variations and vectors of attack will help reduce the possibility that your organization will be victimized.

Overview

Let’s face it, executives provide a target-rich environment for cybercriminals! Company executives and the employees who support them are frequently targeted in these scams. Why? Because executives commonly issue orders involving large sums of money or critical data, and their orders are obeyed, sometimes without question. Scammers have learned to take advantage of this opportunity.

To pull off this crime, scammers go to great lengths to compromise or spoof company email or use social engineering to assume the identity of the CEO, executive, company attorney, or a trusted vendor or customer. The criminals do their homework to develop a good understanding of the victim’s normal business practices.

The FBI categorizes executive impersonation scams as a variation of the Business E-mail Compromise (BEC) scam.1 It defines BEC as a sophisticated scam targeting businesses that work with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.2

Statistics indicate that victims in these crimes belong to no particular industry or business sector. The criminals might stumble across a compromised business email system though a phishing scam or specifically target a vulnerable business.

Scenarios

The FBI’s Internet Crime Complaint Center (IC3) reports several basic scenarios associated with this crime. In many of these cases, the victim businesses used electronic funds transfer (EFT), automated clearing house (ACH) transfers, or wire transfers as a method of payment. But businesses that made payments with checks were also targeted.

Scenario #1: Data Theft

In a data theft scenario, one or more of the victim company’s executives’ email addresses are compromised. Next, an associate employee who is responsible for handling W-2 forms, payroll, or other company employee personal identifiable information (PII) is contacted using the executive’s email address. Frequently, the targeted individual is someone in Human Resources, Payroll, Finance, or Audit, and the request by the executive often expresses an urgent need for payroll or other PII data. This crime has recently ramped up due to tax season and the associated urgency to get tax returns completed.

Scenario #2: Executive EFT and Wire Transfer Request

This scenario also involves what appears to be the executive as the initiator of the request. The email account of the executive is compromised; the request could be made through a hacked or spoofed email address. In some cases, the criminals have hacked into the email system and determined the normal business process for EFT transfer. The criminals then send the fraudulent executive email to the company employee who normally handles the EFT process and requests that the EFT be made to a customer, vendor, or financial institution.

In a variation of the executive wire transfer scam, the executive is targeted with an email that appears to be from a trusted vendor, customer, or foreign supplier. The email generally matches prior successful EFTs that have been completed in the past. In many cases, faxes or phone calls corresponding to past legitimate requests are also involved.

Scenario #3: Executive and Attorney Impersonation

This scenario is very similar to scenario #2, but the spoofed sender is not an executive. In this case, the victim’s business can be contacted via a hacked or spoofed email account, phone call, fax, or text message. The email purports to be from a company executive or attorney claiming to be handling a confidential or time-sensitive transaction. The criminal impersonator concocts a story that the company is in the process of acquiring another company and the issue is time sensitive and confidential. In some instances, the company executive is contacted by a known suppler, vendor, or customer requesting that the EFT to be initiated with a sense of urgency.

Figure 1: Typical scenarios in executive impersonation scams
 

How You Can Protect Your Company

Executive impersonation fraud is a crime for which security awareness training can help reduce risk. Being aware of new crimes and scams in the news is a fundamental part of security awareness training. Ensuring that employees are aware of this scam will greatly reduce the likelihood that your company will be victimized.

Here are eight things you can do (listed in no particular order) to head off these types of scams:

  1. Every business needs strong internal prevention processes and procedures when dealing with all EFT requests. In many cases, the requirement for a simple, direct confirmation phone call would prevent these crimes from occurring.
  2. All EFT request should be held for a period of time with strict external verification procedures. Any request for sensitive data or EFT transfers that involve secrecy or quick action should be viewed as suspect.
  3. Use the “Forward” option on suspect email messages instead of “Reply” or “Reply All.” By forwarding the message to the sender, you increase the likelihood that you will use the legitimate email address from your address book and not a spoofed address from the original email.
  4. Review and restrict information posted on company websites and social media sites that provide details of individuals’ job duties and the organizational structure of the company.
  5. Beware of supplier account changes, and when you establish the relationship, arrange a backup authentication method that’s separate from email to avoid interception by the hacker.
  6. Always utilize a backup alternative method to authenticate and verify a request prior to sending funds or data.
  7. Provide ongoing security awareness training for employees to keep them updated on the latest security scams.
  8. Block spoofed emails from being allowed into your organization by configuring your mail services with SPF and DMARC.3


CFISA

To read more from Michael Levin, please visit The Center for Information Security Awareness blog at cfisa.org/security-blog.html.

stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.