Many of us know someone who has been the victim of a scam or fraud. Very recently, a couple of our clients have run across a rather sophisticated form of social engineering that has been making the rounds. It's been called many different names: CEO fraud, spear phishing, man-in-the-email (MITE), and Business Email Compromise (BEC). Whatever you choose to call it, the threat is real. In fact, network technology company Ubiquity just disclosed that it was defrauded of $46.7 million because of this technique!
The gist of the attack is this:
The scammer researches the person that they want to impersonate. In both of the cases we encountered, they posed as the CEO.
The scammer purchases a domain name that is very similar to the actual company's domain name (e.g. companv.com instead of company.com)
Posing as the CEO, they carefully craft an email to an employee using the phony domain. The employee is usually in the accounting department.
They instruct the employee to initiate a wire transfer and include an attachment with all of the pertinent bank account information, in the hope that the employee will either "obey and pay" or at least reply to the email.
Fortunately, in both cases our clients became suspicious and contacted us immediately. Utilizing Microsoft Office 365's mail flow rules, we were able to take swift action and silently block the fake domain from sending future messages to their company. Also, performing a simple WHOIS lookup on the scammer's domain name yielded their registrar. Most registrars have an abuse email/phone number than can be contacted to take action on phony domains such as these.
In one case, the scammer even tried again with a different phony domain once the first line of communication went dead.
Here are just a few tips to help prevent yourself from becoming a victim of social engineering:
Be vigilant when checking your email and answering the phone. When in doubt, simply call or walk over to the coworker who supposedly contacted you.
Be mindful of what PII (personally identifiable information) you make public on the Internet, both on company and social web sites. Scammers often use this info to glean management hierarchy, vacation schedules, etc.
Frequently change your passwords, and make sure they're complex (but that's its own blog post for another time.) While all of the above can easily be accomplished without ever breaking into anyone's computer or email, this is still a best practice.
For more technical information on this exact scam, we also recommend reading the following articles: