Guarding Against Executive Impersonation Fraud

Main visual : Guarding Against Executive Impersonation Fraud

A recent Mimecast report has shown that 38% of company C-level executives have been victims of email-based spoofing as part of phishing attacks.

Given that phishing attacks themselves are increasing, organizations are likely to see ever more spoofing. 

But why is this type of attack on the rise and why are senior executives being targeted? 

Targeting the top

The most reliable way for a cyber-attacker to penetrate an organization is by ‘social engineering’ - deceiving employees. 

The aim is generally to make users click on a link or open an email attachment, both of which activate malicious software and secretly grant access to systems and data. The bolder professional cyber-attackers use individually-crafted emails (‘spear-phishing’), regarding senior executives either as targets or as a ‘Trojan horse’ to attack others. 

Executives are attractive because they have ready access to secrets, and they can also influence other colleagues to inadvertently do what the attackers want. Here are some of the proven tricks we see today:

1. Masquerading as the boss

Smart hackers can send emails which look as though they come from your account, or the boss’s account. By exploiting the inherent importance of an email from a senior executive, they can con people into doing things they would never normally do.

Below is an email sent to staff in cyber-security firm Mandiant (which in 2013 exposed a massive and apparently official Chinese cyber-espionage effort worldwide).

It appeared to come from the CEO, with a malware-laden attachment called “Internal_Discussion_Press_Release_In_Next_Week8.zip”.  The attackers had created a webmail account in the CEO’s name specifically for this attack.

Figure1.JPG

2. Should have gone to Specsavers?

A similar technique involves imitating genuine email addresses by exploiting similarities in characters in some fonts.

In the example below, based on a genuine spoof but using a fictional company, can you see which of these uses a ‘1’ instead of an ‘l’ in ‘lowes-bank’?

alex.bloggs@lowes-bank.com

alex.bloggs@lowes-bank.com

3. Faking authenticity with inside information

Determined attackers research their targets carefully using social media, public company records, and other information sources in order to send individualized messages to specific employees.

Showing inside knowledge gives authenticity, and reduces the chance of the recipient spotting the message as suspicious. In a real-world example, attackers knew that a senior executive was at a conference in Spain. They sent a Hotmail message to ‘his’ PA referring to that fact and asking her to forward an attachment to the Finance Director in his absence.

4. Using urgency and/or "juicy" information to undermine security

To undermine normal security, attackers often make their message urgent (“I need your comments by first thing tomorrow!”). 

Or they play on people’s natural curiosity, saying that it concerns promotions, salaries, bonuses or redundancies.

Reducing the risk

Phishing attacks provide some of the best returns for hackers, which is why they are increasing. 

If the recipient is security-aware, the clever ruses listed above can often trick him/her into activating the malware. 

So how can we reduce the risk of becoming a victim? A good start is to ask yourself the following key questions as a 3-part filter when you first receive an external email: 

  1. Am I being asked to click on a link or open an attachment?
  2. Is this communication unexpected, or in any way odd?
  3. Does it come from a personal or unusual email address?

If you answer yes to all these questions, contact the sender by different means – phone, for example - to check.

Until you have verified the sender, DO NOT CLICK ON ANY LINK OR OPEN ANY ATTACHMENT (you’d be amazed how many people do so out of misguided curiosity!). 

Tell your IT Security team straight away because the chances are that you are not the only recipient.  Your vigilance could save your organization from the reputational and financial catastrophe of an avoidable cyber-attack. 

Fujitsu’s Security Consulting Services offer you independent information security consultant expertise and advice for your business, and the design, implementation, and integration of the security controls that you need to put this insight into action. Click here to find out more.

Get some of the latest security insights in our video interview below, from Fujitsu World Tour 2019 in London.