So, you’re minding your own business working through your day-to-day battle of never ending emails and sorting through all the stuff you should have finished yesterday. Suddenly an urgent email drops into your inbox from the boss, asking for an urgent transfer of £8000 to a designated bank account. It’s not overly unusual: it’s from the boss himself and he called you by your office nickname. Grrr another job to do straight away that’s going to push all those other urgent jobs back even further, better get on with it! NO, STOP, have you actually double-checked it’s him?
This could be something called CEO Fraud, a modern take on deception specifically designed to trick you into doing something that you think you have permission to do but the real CEO did not action. Once successful, the money is filtered off to other accounts and then the original account is closed down creating such a trail that the chances of getting the money back is extremely low and in most cases almost impossible.
With so many instances of data theft so much of our data is already available in the cloud. Whilst we may not see the significance of our emails and or texts falling into the wrong hands it could show someone exactly how you communicate with others: you may “speak” a certain way in your emails, it may appear blunt, cheeky, flirty or very abrupt and to the point but ultimately it will form a digital footprint of your daily communication that could be emulated to form the next successful targeted attack.
What can you do to ensure you’re not the victim of this skulduggery?
You could have procedures in place to ensure any money transfers are backed up by at least 2 authorised personnel. It may seem like a pain in the proverbial but just like most insurance procedures (i.e. backups and antivirus) it could save you thousands. Make sure you double-check the email address, where it is from and any locations it is going too for intentional spelling errors: it is easy to misdirect you with substituted letters to throw you off the scent. Make a phone call or preferably text them with a cryptic question only he or she would know. Bear in mind using email to ask the question may not be the best idea in case their account has been hacked. I honestly doubt any senior manager will have a problem with you being careful with their money, after all you are only doing your job!
Also if this has actually happened to you don’t ignore it, make sure you let someone know. Your tech administrator should know so they can check to see if there has been a wider compromise. Let the CEO know, it may trigger an event reminder for something that happened that could lead to the point in time when the compromise first happened that could also be passed on to the administrator.
by Mark James, ESET IT Security Specialist