Convincing an unsuspecting treasurer or controller to wire money into the wrong hands seems like a difficult task, however, thieves are proving it’s possible. Whaling attacks, which are specifically directed at senior executives and other high profile targets within businesses are quickly becoming more convincing with well-researched spear phishing emails, ultimately allowing them to impersonate a company officer well enough to hook corporate officials into wiring funds in the wrong direction.
Here’s how a scam like this can play out:
Initially a thief will choose a company to target. Once the target company is established, they do the necessary research by sifting through records and various public company web pages and associated corporate social media outlets to identify the correct company executives to incorporate in their scam.
From there, the phisher determines the name and email address of the president or CEO of the company, and the name and email address of the treasurer or whoever has the authority to execute financial transactions for the company.
Once the correct name and emails are retained, the phisher will register a domain that upon a quick glance, will appear exactly like the company’s actual domain. This is accomplished by using simple keyboard tricks like combining two letters to look like one, or replacing the letter “l” with the number “1” – the possibilities are endless. Here’s an example:
Theoretical example: company.com
Thief’s forged domain: cornpany.com
Depending on the font, these two domains may be almost indistinguishable — even when they’re placed right next to each other. Once the factitious domain is established, the email addresses fall nicely into place. For example, “ceo@cornpany.com” sure looks a lot like “ceo@company.com” when it’s sitting in your inbox. Would you notice?
Often, the “From” header is the real CEO’s email address, and there is a “Reply-To” header with the “look-alike domain” address. We’ve seen a few cases where the domain registered for collecting replies doesn’t resemble the target domain at all.
Additionally, some cheapskate thieves don’t bother with registering a domain at all, and just use a throwaway account at a free email provider like Hotmail or Yahoo. The “From” address is often the real email address of the CEO, with a “Reply-To” header to divert replies back to the thief. This might be considered less suspicious than the “look-alike” domain. In this case there’s always a chance that the CEO really does have a personal Gmail account that he uses from home or when on the road. To complicate matters further, there are many “free email” domains that are less well known, like execs.com, which is perfect for this sort of scam.
If the target replies to the scam, responses are directed to the thief who’s impersonating the CEO. And if by chance the target questions the expenditure or shows any resistance, the fake CEO will reply, emphasizing the urgency of getting the payment sent immediately.
This isn’t the only way a scam like this can work. Another approach we’ve seen is a bit more casual, where the text of an email may be nothing more than something like this: “Bob, are you in the office? It’s urgent that we get an overdue payment sent by wire transfer today. Email me when you get this, and I’ll send the details.”
With those scam angles in mind, below are some real-world examples of similar attacks. Only the names, addresses, and account numbers have been changed.
In this first example, note the doubled “i” in the “From: Bob CEO” domain name (the fake CEO). This was a domain registered at a “free domain hosting” place for the purpose of this fraud attempt.
| From: Bob Ceo <bob.ceo@iriistarget.com>To: Raymond.Controller@iristarget.com
Subject: Fwd: Wiring instructions Ray, Process a wire for $221,335.46 to the attached instructions, charge to admin expenses. Send me the wire confirmation once completed. Bob ———— Forwarded message ———— From: Thomas Treasurer <tom.treasurer@iristarget.com> Date: Apr 15, 2014 Subject: Wiring instructions To: Bob.Ceo@iristarget.com Bob, Per our conversation, attached is the wiring instructions. Forward wire confirmation when you have it. Thanks, Tom Attachment: name=”NINGBO ELECTRONIC WIRING INSTRUCTIONS.pdf” NINGBO ELECTRONIC WIRING INSTRUCTIONS BANK NAME: DAH SING BANK BANK ADDRESS: NO.162, CASTLE PEAK ROAD, YUEN LONG, NEW TERRITORIES, HONGKONG ACCOUNT NAME: BETTERFORYOU (NINGBO) ELECTRONIC CO LTD SWIFT CODE: XXXXXXXX ACCOUNT NUMBER: XXXXXXXXXXXXXXX |
| From: Ray.Controller@iristarget.comTo: Bob Ceo <bob.ceo@iriistarget.com>
Subject: Re: Wiring instructions Bob: I will do it only because it is you that is asking as the CEO. However, I am uncomfortable in deviating from our normal procedures which would be to have an approved P.O. in the system, particularly for this amount, followed by a the receipt of goods and an invoice. Obviously, an invoice of this amount will have a serious impact on this month’s performance and without knowing any other information I am hard pressed to know whether it could be booked differently to spread the financial impact over a broader period of time. Please understand it is part of my job requirement to inquire about items of this nature regardless of the source of the request. I will wire the funds this afternoon. Also, for overseas wires we need the company address. Respectfully, Ray. |
| From: Bob Ceo <bob.ceo@iriistarget.com>To: Ray.Controller@iristarget.com
Subject: Re: Wiring instructions This is for office supplies. was able to get company address – 84 Jervois Street, Sheng Wan, Hong Kong. |
| From: Ray.Controller@iristarget.comTo: Bob Ceo <bob.ceo@iriistarget.com>
Subject: Re: Wiring instructions Without trying to be a smartass, we don’t spend $80K a year between both companies on office supplies. Is the amount $221,335.46 correct or is it a typo. This is a big number that would have been helpful in knowing for “cash flow” planning purposes. |
| From: Bob Ceo <bob.ceo@iriistarget.com>To: Ray.Controller@iristarget.com
Subject: Re: Wiring instructions Will give you more info on this later. You can have it booked differently for the financial impact to be spread. I will request for the wire confirmation when I need it. Bob |
| From: Bob Ceo <bob.ceo@iriistarget.com>To: Ray.Controller@iristarget.com
Subject: Re: Wiring instructions That actually was a typo. Go ahead and wire $121,335.46. |
It was at about this point that “Ray” figured out he wasn’t talking to the real CEO, and broke off communication. This particular attack used a foreign bank, however, we’ve recently seen similar attacks like this that use a domestic bank and ask for smaller amounts of money. The large amount here seems to have been one of the things that triggered Ray to question the transfer.
In the next example, the crook tried to social engineer the information he would need to do his own wire transfers. Basically, use email communication to convince the target to break normal security procedures. In this case the thief also used an aol.com Reply-To address.
| From: “Bob Ceo” <b.ceo@ivyleague.edu>Reply-To: “Bob Ceo” <privatemaildrop@aol.com>
To: Mary.Controller@ivyleague.edu Subject: Request Hi Mary, Hope you are having a splendid day. I want you to quickly email me the details you will need to help me process an outgoing wire transfer to another bank. I will appreciate a swift email response. Thanks. Bob Ceo |
Fortunately, Mary wasn’t fooled and never responded to the thief.
Not all “free email” domains are the ones you might expect, like Gmail, Hotmail, or Yahoo.
| From: “Bob Ceo” <bob.ceo@address.com>Reply-To: “Bob Ceo” <company_ceo@execs.com>
To: Ray.Controller@address.com Subject: Today Steve, How soon can you process a domestic wire transfer? I need a transaction taken care of. Thanks, Bob Ceo |
| From: “Bob Ceo” <bob.ceo@address.com>Reply-To: “Bob Ceo” <company_ceo@execs.com>
To: Ray.Controller@address.com Subject: Fw: Wiring Instructions Ray, process a wire of $74,660 to the attached information, and code it to professional expenses. I will forward support later. Email me when it has been processed. ———- Original Message ———— From: “Tom Treasurer” <tom@some-other-place.com> To: “Bob Ceo” Subject: Wiring Instructions Per our conversation, I have attached instructions for the wire. Let me know when it has been processed. Tom Treasurer Accounts Department Attached File: WiringInstructions.pdf WIRING INSTRUCTIONS BANK: MAJOR NATIONAL BANK BANK ADDRESS: P.O. BOX 4533, MULE TEAM, TX 74343 BENEFICIARY: MOLLY MOULARI BENEFICIARY ADDRESS: 1313 MONEY MULE DR, MULESKINNER, TX ACCOUNT NUMBER: xxxxxxxxxx ROUTING NUMBER: xxxxxxxxxx |
The domain “execs.com” used here is a free mail domain at mail.com. They have hundreds of different “free email” domains that you can choose from. In this case, the spam filter was able to identify and quarantine these emails. Unfortunately, in this case, Ray got his daily “quarantined email” report, said “Oh, no, the spam filter is blocking important email from my boss!” and replied to the thief.
In most of the recent examples we’ve seen, money will typically be wired to a well-known U.S. bank where the account belongs to a real person, with a real address. However, a week ago Molly answered a spam email titled, “Make Money Working Part Time From Home,” and she now thinks she’s working for a legitimate company, processing payments transferred to her personal account, and sending them to the home office in Shanghai or wherever — minus her commission.
When the fraud is discovered, and the FBI comes looking only to find the trail ending at Molly — she could be on the hook for all the money that went through her personal account.
There’s no way to stop thieves from crafting scams like these, but you can protect yourself and your business by staying defensive with user vigilance and clear, secure company policies regarding how financial transactions can be authorized. Even when a spam filter detects and quarantines email threats, the company can still get stung if the recipient views a quarantine report and thinks, “Oh no, the spam filter blocked an email from the CEO.”
The bottom line is that money should never be transferred based on an unauthenticated email. Everyone up to the CEO should sign off on a clear policy stating that a wire transfer can never be ordered with just an email. Additionally, everyone with the ability to initiate a wire transfer, should know never to do so based on just an email, no matter who it’s from — even if it is the CEO.
- A World Full of Spear Phishing: What it is, and What to Look Out For - February 22, 2016
- Whaling attempts could cost you your job and lose cash for your company - July 2, 2015
