November 21, 2019

The so far unidentified CEO of an unnamed company appears to have been conned out of almost $1 million whilst buying a property in Belize, as per Quartz reporting and according to a criminal complaint filed in a US federal court.

Social engineering and a spoof email address to blame

The CEO, referred to as S.K, had reportedly communicated with the seller’s genuine attorney and paid part of the property’s purchase price as a deposit. The buyer then received a new email he thought was from the lawyer with instructions for sending a remaining $918,000 for the property. He then sent the transfer believing it to be headed to a bank account in Belize when actually it went to a Citizens Bank in Boston, US, now appearing to be under the control of the cybercriminals. As per Quartz and the complaint:

“The lengthy email which S.K. received included lawyerly verbiage that gave it the appearance it was from the attorney in Belize. The author included information about Belize-specific regulations on the purchase of property by a foreign company. The email included the standard confidentiality notice and legal disclaimers that are commonly part of emails from attorneys. Lastly, it included a professional signature block with the attorney’s name and contact information.”

The genuine lawyer then revealed the money had never arrived and the victim CEO realized he had been swindled out of nearly $1 million dollars. The last email with the payment instructions was from a spoofed email address which an FBI affidavit says was “deliberately created to deceive the recipient into believing he was communicating with the seller’s attorney.”

It all came down to an extra “s”

What the CEO didn’t realise was that the spoof email address had an extra “s” which with close inspection may have revealed that it wasn’t from the attorney he was dealing with for the property sale. Quartz writes:

“That one easily overlooked detail wound up setting S.K. back six-figures.”

The reporting indicates that half of the near one million dollars was transferred out of the Citizens Bank in Boston to other accounts including with JP Morgan Chase and then onto bank accounts in China and Nigeria. Quartz writes:

“Simultaneously, a man began visiting JPMorgan Chase branches throughout the area, withdrawing thousands of dollars in cash at a time.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

CEO fraud is on the increase

Business email compromise, says Quartz, known as “CEO fraud,” reached a value of $26 billion between June 2016 and July 2019 across 177 countries as per the FBI’s Internet Crime Complaint Center.

Email address spoofing is a common attack vector with cybercriminals compromising genuine email accounts and using social engineering tactics and known information to glean further data or money. Quartz says:

“The fraudsters then attempt to convince their unwitting victims to wire money to bank accounts that they actually control.”

In other recent incidences of CEO fraud:

  • Mattel CEO Christopher Sinclair authorized a transfer of $3 million to what he thought was a new supplier in China. It wasn’t but Mattel eventually recovered the money.
  • Ubiquiti revealed in a quarterly earnings report that it had transferred $46.7 million to what it believed to be a company subsidiary. It was a cybercriminal.
  • An unidentified US defense contractor sent millions of dollars worth of sensitive military equipment valued at $3.2 million to international cybercriminals.
  • A UK energy company CEO transferred €220,000 to attackers after an artificial intelligence (AI) powered fake call from his boss.
  • A Texas manufacturing company was scammed out of $480,000 by a cybercriminal impersonating the company’s CEO.

CSO at Cybereason, Sam Curry, told Quartz:

“If an attacker can insinuate themselves between two trusted parties, they benefit from that default to trust by both parties. And that’s the real danger.”

And, Curry says, business email compromise is “effectively the next generation of cons.”

Quartz adds:

“The FBI recommends all companies have strong verification protocols in place for large transactions—a phone call to confirm the payment request is legitimate, would be a good start—and use two-factor authentication to verify requests for any changes to account information. Be alert for slightly misspelled names and hyperlinks that redirect to misspelled URLs.”

Security awareness training and simulated phishing attacks can help

One of the greatest cyber-defences against business email compromise and other email attacks like phishing and those that use social engineering tactics is security awareness training. Simulated phishing attacks can form part of this and both these educational elements of a cybersecurity strategy can be conducted at every level of a business, from CEO down. Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: