Welcome back to Antidote to the Wire Fraud. In part 1, I shared what is happening, the impact of it, and the disclosures of some very public companies and how much they’ve lost.

This is part 2 and we are sharing with you what we have seen at our clients and at companies that we know. We show actual emails that those companies received.Scammers use social engineering to:

  1. Spoofed email to employee allegedly from CEO or CFO citing a “confidential deal”
  2. Hack into a senior executive’s actual email account
  3. Changing the email header to disguise the true source
  4. “Spoof” an email address by buying up internet domains that look just like the company’s legitimate domain — “example.com” for “example.com”
  5. Spoofed email to employee (often in Accounting – AP) allegedly from a vendor asking to change the vendor’s address and payment information in the system
  6. Open sham bank accounts to receive the funds

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

The scammers are targeting finance and accounting departments with urgent requests to wire money for confidential deals or transactions.

 

Spoof email to employee allegedly from CEO or CFO citing a “confidential deal”

spoofed email to employee
Fig. 1 – Spoofed email to employee allegedly from CEO

One spoofing method used is sending emails to employees allegedly from the CEO or CFO citing a confidential deal or asking employees to contact an outside attorney for further instructions.

In this case that I’m aware of, the scammers actually emailed the controller and it looks like an email from the CEO to the controller and it says that “You are the only person I’m trusting with this information. We have a confidential deal that is happening. Here is the name and contact of an outside attorney that we are using for this transaction.”

The scammers have gotten so sophisticated that they will actually set up a website for a fake law firm so that when you go to this particular website or look into this law firm’s domain name, it looks legitimate. They want you to think “Ah, this is an M&A deal which is why not a lot of people know about it. This is why we are working with an outside attorney”. That fake attorney then takes over and starts to give you instructions on what to do and eventually wire money to them.

 

Hack into a senior executive’s actual email account

Hacked email
Fig. 2 – Hacked email of senior executive

The second spoofing method is actually hacking directly into a senior executive’s email account and sending the fraudulent wire instructions from there.

Here’s an example sent from a CEO’s hacked email account.

Fake Email of CEO
Fig. 3 – hacked email account due to phishing

The CEO was from ventured capital firm and the scammers managed to hack into his email account. In my discussion with the CEO, he said he made several mistakes. He used only a password to access his e-mail account. The whole company’s email is hosted on Google and he normally uses one email password.

In this case, the CEO also saved over 10,000 e-mails in his e-mail folders from the past 10 years of e-mails and correspondences so they were easily accessible. The hackers could then read his life as it happened in email. The example I’m showing is a real email that the real CEO sent. What the scammers did in the fake e-mail was they took a copy of the real email so that they would use the exact tone and the way that he would correspond.

The scammers figured out that Linda was his accountant and they faked some emails to her. The first one that they faked was sent on a Sunday. They created a new folder in the Gmail account and also created a rule that automatically routed any responses from Linda into this folder.

This process avoided the real CEO from seeing this back-and-forth conversation with his accountant. The other clever thing that the scammers did was deleted the actual email that they sent to Linda from the “sent” folder, in case the real CEO was going through his sent e-mail and noticed it. They were quite clever at how they were managing this.

The hackers sent it out on Sunday night and Linda, the accountant, received it on Monday and started the email conversation with some follow up questions like “how do you want this done?” This whole time, the real CEO was oblivious to this conversation.

The reason Linda got suspicious was when finally, the scammers said something that seemed unusual to her. The scammers said “I will be travelling this week. Please approve this wire in my place.” Linda was very suspicious because the normal mode of operation is that the office manager would be the one approving any wires if the CEO was travelling. Linda contacted the office manager and up to that point, the CEO still did not know that his email account has been hacked.

When the accountant actually showed the CEO his email, it looked exactly the way he would have written it, his signature, everything was there. Once the CEO realized that his account had been hacked, he requested to see all the computers that had access to his email account. To his knowledge, he only used two, his laptop and his iPad.

But when the CEO looked at the list of computers, he saw a dozen computers. There was a computer from Redwood City, one from LA, others inside the US and others outside of the US, including Algeria. So he knew that his account had been compromised and that multiple people were probably scanning his hard drive.

 

Change the email header to disguise the true source

changing email header
Fig. 4 – Changing email header to disguise true source

The other way to phishis by changing the header of the email request to disguise the true source, making it look like the e-mail is from someone you know. This usually happens because thehackers don’t ownyour domain name but they are changing the email headers so that looks legitimate. The way that they ae doing this is just not sophisticated and is more from social engineering. They are data mining publicly available information to mimic e-mail addresses of high-ranking company executives. They are researching employees’ responsibilities and titles so they know who to target.

If you look on any company’s website, private or public, you can easily see the management team. You see the CEO and the CFO names. Spammers are now using social media and openly public information. In the past, we have seen spam that hits everybody that says “send me money, I’m in Nigeria”. In this case, it is targeted so that makes the methods are very believable. That’s called spear phishing.

scammer
Fig. 5 – Wire fraud Scam

Another version of this scam is to install malware into the system by an employee clicking on a compromised website link that was e-mailed to them. Although this method is less common, they can actually get your email and take control of it.

 

“Spoof” an email address by buying up internet domains that look just like the company’s legitimate domain

spoofed email address
Fig. 6 – Spoofed email address

Scammers spoofed an email address by buying up Internet domain names that when your eyes quickly roll over it or a vendor who’s not familiar with it, it looks like it came from the company.

In this example, “exannple” is spelled with two N’s instead of example with one “M”. When we are in a hurry, our eyes see what we want to see.

This next spear phishing email was sent to another company. The domain name was spoofed.

sample fake email of scammer
Fig. 7 – Fake Email from scammer

It was sent allegedly from the CEO to the CFO. And there are a couple of mistakes here that which is why the company was able to catch it. The email said “Good morning how are you doing this morning? Kindly confirm back to me that you are in the office, I want to initiate a wire transfer of $62,700 this morning. Confirm back to me so I can provide you the bank instructions of the beneficiary as soon as possible. Kindly advice.”

The word “kindly” wasused in two places and the grammatically incorrect “kindly advice” tipped off the CFO. This was a smaller organization and the CFO read it and thought to himself “that just doesn’t sound like my CEO. Hisspeech and emails don’t use kindly and just this phrasing is very clumsy.” That prompted a conversation where the CFO popped into the CEO’s office and talked to the CEO. The CEO was oblivious of this request because it wasn’t him.

 

Spoofed email to employee (often in Accounting or AP) allegedly from a vendor asking to change the vendor’s address and payment information in the system

spoof-method6
Fig. 8 – Spoofed email to employee from a vendor address and payment information

Another variation of this is spoofing is sending an email to accounts payable, alleging to be a vendor. The scammers ask to change the vendor’s address and payment information in the system. This one is very clever because the vendor already exists in your system and often times there are many common vendors that many companies use. Let’s say an IBM, a Dell, Apple computers. That payment could be routed to a different bank account or mailing address where they can cash the check.

 

Open sham bank accounts to receive the funds

And, finally, scammers are opening up the sham bank accounts to receive the funds.As you can see, the scammers are quite clever on how they are doing this.

 
Summary

To recap, here is what we covered today. Scammers use social engineering to:

  1. Spoofed email to employee allegedly from CEO or CFO citing a “confidential deal”
  2. Hack into a senior executive’s actual email account
  3. Changing the email header to disguise the true source
  4. “Spoof” an email address by buying up internet domains that look just like the company’s legitimate domain — “example.com” for “example.com”
  5. Spoofed email to employee (often in Accounting – AP) allegedly from a vendor asking to change the vendor’s address and payment information in the system
  6. Open sham bank accounts to receive the funds

 

If you found this post helpful and
want to receive the next segment
sign up for blog