The rising threat of CEO impersonation emails

In recent months, there has been a significant increase in a specific type of fraud used to embezzle money from companies of all sizes.

This simple, yet highly effective fraud, exploits finance functions where there is often a lack of suspicion and awareness to these types of schemes – called CEO fraud it has already cost some organisations over £3,000,000. In one specific case cyber thieves stole $46.7 million from networking vendor Ubiquiti – http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/

Hallmark features of the scam

skilful impersonation of a CEO or other senior executive of the victim company;

  • a request, usually to the finance department of a foreign subsidiary, for payment to be made outside the normal approval processes to facilitate a “confidential transaction” in China;
  • comparatively modest amounts at stake;
  • a demand by the bogus CEO or other senior executive that the payments be kept highly confidential;
  • invoices emanating from China; and
  • payments to be made to banks, often in China or Hong Kong.
Phone Calls may also be Used to add “legitimacy”

In some cases, the email will mention that a representative of an intermediary body will be getting in contact by phone with details of the transfer. Once the employee replies to the email, the fraudster calls the individual, posing as the person mentioned in the email who supposedly works for a professional services firm like PWC.

The employee feels flattered that they have been trusted by the CEO and carries out the transaction swiftly to impress their boss.

At some point in the near future, the large and unrecognised transaction will be scrutinised, it turns out there was no big deal, and the firm realises they have lost a large amount of money.

Examples to be wary of

So far, the following domain names have been used by the fraudsters to impersonate an intermediary for the deal. If any emails come from these, they are not legtimiate and not associated with Pricewaterhouse Coopers or PwC Legal:

@pwc-ukglobal.com and @pwc-office.com

This is by no means exhaustive, and the fraudsters may choose to impersonate another firm who will be assisting with the “deal” such as Deloitte or KPMG.

The fraudsters may not even use this approach, and the crime may be completely carried out using the first email posing as the CEO. In this case the sender name will be that of the CEO, but the email account will usually be from something unfamiliar, or a yahoo or gmail account (so they can receive the replies).

How to prevent this from happening to you
  • Tighten up processes – Ensure your processes for transferring money are as robust as possible.  
  • Be on your guard for payment requests that are unexpected or irregular, whatever the amount involved.