When the CEO is not who they seem

In June 2015, the US-based technology company Ubiquiti incurred a loss of over $46 million, as a result of a scam involving an e-mail sent to the company’s finance department, purporting to be from an employee^[1]. In this type of scam, the e-mail usually claims to originate from an executive or other senior member of staff, and instructs a member of staff to make a payment transfer – allegedly to cover a corporate transaction – but which actually passes the funds into an account under the control of the fraudster.

The FBI has stated that attacks of this nature typically cost companies between $25,000 and $75,000 per incident, with an estimated total loss of over $2 billion over the three-year period to 2016^[2]. These scams are often made more convincing by the use of a specially-registered, brand-specific domain name which can be utilised in order to construct a convincing ‘from’ address for the e-mail, or by ‘spoofing’ the originating e-mail address, so as to appear as if having been sent from an account within the company’s own official network. Organisations can mediate the risks associated with such techniques (to some degree) by implementing a policy of purchasing defensive domain-name registrations, by proactively monitoring for the registration by third parties of cybersquatted or typosquatted variants of the company’s official domain name, and by the use of technical systems such as DMARC, which provides visibility of cases in which e-mail addresses have been spoofed. Part of the solution is also the requirement to raise awareness amongst employees of this type of scam, in addition to instigating policies such as two-factor authentication (e.g. confirming details by direct telephone call, in cases where money transfers are to be made).

The ‘CEO e-mail’ scam is unfortunately only one type of online scenario in which company employees are impersonated for fraudulent gain; the occurrence of the fake social-media profile is also becoming much more common. Indeed, the use of fake profiles on networking sites such as LinkedIn can be one way in which fraudsters can establish networks of contacts, with a view to identifying suitable candidate recipients for their highly-targeted scam e-mails.

Fake company-executive profiles on social media can also be used by cybercriminals in a number of other different ways, e.g.: (i) comprising an element of a highly-convincing advance-fee fraud; (ii) as a way of using social engineering to extract sensitive company information; or (iii) as a means of collecting contacts for the distribution of malware.

A study published at the end of 2016 found that, of the Fortune-500 company CEOs with a presence on Twitter and/or LinkedIn, 19% were represented by multiple Twitter accounts and 9% by multiple LinkedIn accounts, with the inference being that many of these duplicate accounts were likely to be fakes^[3].

The scale of this issue highlights the importance of companies putting in place a programme of monitoring for the online appearance of fraudulent profiles. Once identified, it is often possible to have the fake content removed, by sending a takedown notice to the social-media site in question, many of which will consider impersonation or fraud to be grounds for deactivation of an account.

As with many types of fraud, individual employees can also be encouraged to be on the lookout for suspicious activity. On social media, non-legitimate profiles may feature a number of indicators that they are not genuine, such as unusually small numbers of contacts, ‘friends’ or endorsements for the profile, a lack of detail or accuracy in the profile’s history, or the use of an account which is neither ‘premium’ nor ‘verified’^[4].  

 

References 

[1] http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/ 
[2] https://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/ 
[3] https://www.helpnetsecurity.com/2016/11/16/fake-executive-social-media-accounts/ 
[4] https://www.linkedin.com/pulse/growing-epidemic-fake-linkedin-profiles-scott-bernstein

This article was first published on 25 August 2017 at: 
http://www2.cipd.co.uk/pm/peoplemanagement/b/weblog/archive/2017/08/25/is-somebody-pretending-to-be-your-ceo-online.aspx