Business Technology

Published

Spot the difference: Protecting your business from CEO fraud emails

7 Mins

These targeted attacks can be an enormous threat for small companies; as the BBC recently reported just one attack could cost your business more than £11m. The best of these fraud emails are so dangerous because they are difficult to detect, having been designed to impersonate an email from your boss. 

In essence, CEO fraud is when an attacker sends an email which pretends to be from the company’s CEO or another senior executive. This is made possible by simply using a popular, professional social networking site to discover the name and contact details of the person who they wish to impersonate. Scammers will target someone high up in the organisation in a department like HR or finance, requesting that sensitive information or money is transferred. The email may also attempt to get the target to download a malicious file, corrupting the business with just one click.

Spot the difference

Detecting the difference between CEO fraud emails and a genuine email from your boss is difficult, as the example below shows. This email is a real scam we have encountered, although the names and addresses are changed.

While the request in the first image may seem unusual, it is easy to see why an employee would rush to comply. The request for payment is urgent and the message is short and to the point. The target is also prevented from contacting their boss to verify the payment, as they claim to be in a meeting. 

One thing you may notice about the email if you were to reply, which could indicate it is a scam, is that the Reply to address is different to the From address.

Using a more direct approach, the example below simply asks for money, and includes all the necessary details to complete the transaction. Like the previous email, it appears to be from the CEO.

Encouraging the target to download malware is increasingly a large part of these fraudulent emails. Combining this tactic with CEO fraud is a stroke of genius, because you are much more likely to unquestioningly download attachments that are from a colleague or your boss. 

These emails include a PDF document with an image, which will ask you to update your application. By clicking on this image you will be taken to a Dropbox link, which will encourage you to download a malicious data stealing executable. 

How can I stop this fraud getting into my inbox? 

As CEO fraud emails are far from generic, easily-identified and mass-produced spam, a spam filter will often not be much use in blocking these emails. However, there are a number of strategies you can put in place to provide protection at your email gateway.

The misspelt domain name

In most cases, cybercriminals will set up a domain name which is very similar to that of your company, but is usually off by one character. 

From: “CEO Name” 

To identify these misspellings, regular expressions can be applied to the From: line. Below are two regular expressions for a domain called example.com. These patterns can be copied and applied to your own domains. I have made the assumption that the first character will not be altered in creating the regexes, because if this character was changed the domains would not look similar enough.

Read more on cyber crime:

Character substitution regex

This expression identifies a domain where one of the letters in the domain has been replaced. It works by checking each letter for substitution (for instance [^m] means “any letter but m”).

@e(?:[^x]ample|x[^a]mple|xa[^m]ple|xam[^p]le|xamp[^l]e|xampl[^e]).com

Character addition regex

This expression identifies a domain part where a character has been added. It works by matching even if a single extra character has been added between each pair of letters [.?].

Unrelated from address, but CEO name in From line

This is where the CEO’s name will appear in the From “real name” area in the From line (perhaps also with the CEO’s email address). However, the actual From: address is unrelated.

From: “CEO Name” or From: “ceo.email.address@example.com” 

To identify this sort of attack, header regular expressions can be used to look for the CEO’s name or email address in the From line, and combine it with an inbound rule. The secure email gateway has the concept of inbound message, where the message is addressed to a local recipient. At the email gateway, CEOs should typically not be sending inbound mail, they should only be sending outbound mail. The regex can be fairly simple, like the one below.
CEOsName|ceo.email.address@example.com

Spread the word!

Implementing software and coding to prevent CEO fraud emails are only a part of the solution. Everyone in the workplace must be made aware of this type of email attack, and how they can identify a fraudulent email from the real deal. Additionally, companies must be certain about how they want their staff to react in these situations – they need to develop clear policies about how payments are verified and sensitive information is handled. With concrete policies in place, staff will be much more likely to question an odd email, even if it means annoying the boss. 

Karl Sigler is threat intelligence manager at Trustwave.

Security expert Emma Philpott has said: “There’s a lot of great talk, but most SMEs do nothing about cyber security. It’s shocking.” Is your business among those Philpott is referring to?

Share this story

Historic ten-bedroom home in Ireland, complete with theme park, hits the market
Instagram meets needs of 200,000 advertisers with business profiles and new tools
Send this to a friend