Phishing

Phishing technique: Message from the boss

Fakhar Imam
March 12, 2020 by
Fakhar Imam

Is it possible for you to ignore an email sent by your boss? Phishers believe that you probably would not, and this is the reason they are getting better at mimicking them. According to the FBI, there has recently been a surge in “CEO fraud,” an email scam where fraudsters spoof a message from the boss to trick people working in the organization into sending money to an untrusted source. According to an FBI estimate, companies have suffered losses of $2.3 billion due to email scams over the past three years.

The scam can be difficult to spot. Email security company Vade Secure stated that scammers might write just like your boss and they might even congratulate you on your new promotion or ask how your recent vacation went, but they could just be phishers who want funds or to know company secrets.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

In this article, we will shed light on how the phishing type “message from the boss” works. We’ll look at how to spot the potential red flags, some examples of this scam, the methods of attack and what preventive measures are available to you.

How does this scam work?

Typically, this scam works in three steps:

  1. Scammers attempt to find names of corporate executives (the boss, the CEO, high-ranking supervisors), their emails, usernames, passwords and job functions
  2. They impersonate a trusted boss and send email to subordinate employees
  3. They try to obtain or withdraw money sent by the victims; to this end, they may even need third-party assistance

According to Vade Secure, fraudsters simply create fake email accounts using free services such as Yahoo, MSN or Gmail under the names of executives.

Scammers mostly bet that the targeted employees are careless about noticing the full email address. If they are viewing messages on a mobile device, then the sender’s name will appear in the “From” field rather than the complete email address.

Red flags

Phishing emails may seem harmless, but in reality, they are used to trick users into clicking on a malicious attachment or link in order to gather critical information. How do you know if the email in your inbox is legitimate or fraudulent? Here are some tips:

  • Have you ever received an email from your boss involving time-sensitive issues or sudden urgency? Beware of that, as it might be a sign of a fraudulent email. According to the FBI, phrases such as “urgent invoice payment” and “urgent wire transfer” are often used for this purpose
  • You may often come across spoofed URLs and email addresses that are very close to the actual company’s addresses, but with just a slight difference — for example, a zero instead of an o, e.g., @micr0soft.com rather than @microsoft.com
  • Another red flag is the slight alteration of corporate names, such as using Unillever instead of Unilever
  • Email scams often incorporate misspellings and awkward wordings
  • To foil verification, scammers prevent an employee from calling back to the boss by claiming that he or she is with limited phone coverage or in a meeting (see the following screenshot)

Source: CNBC

Methods of attack

Scammers use several techniques to trick users into revealing sensitive information or making financial transactions. Below are some techniques:

  • Undoubtedly, gift cards are very attractive items. However, if an email from your boss asks you to purchase some of them for work, this might be an indication of a scam. The FBI has already issued a warning about gift card scams
  • Scammers often target the Human Resources (HR) department of organizations in order to persuade workers to change their paycheck direct bank deposit information to one that is under the scammers’ control. CNBC reported that the HR department of KVC Health Systems received fraudulent emails from so-called executives to the HR employees around 2-3 times a month.

Examples of CEO fraud (boss) phishing

A phisher impersonated the police department of Tredyffrin, PA, for the purpose of phishing Philadelphia residents. Allegedly, the law enforcement agency sends emails to victims notifying them of speed violations. The agency denied the claim. Later on, it was discovered that the emails were sent by fraudsters.

Another example comes from the popular app Snapchat, where fake CEOs compromised data of innumerable employees. In fact, they impersonated the CEO of Snapchat, Evan Spiegel, and sent emails asking for the information — including direct deposit bank data, social security numbers and salary data.

Remedies: The cure for CEO fraud phishing scams

Scammers are smart, but you can be even smarter than them.

  • John LaCour, a founder and chief technology officer of PhishLabs, said “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”
  • Adrien Gendre, the chief solutions architect at Vade Secure, stated that organizations must formulate policies to verify emails involving sensitive requests, even if it sounds like your boss. A wise approach is to make a phone call before responding with critical data or transferring money. Don’t trust lame excuses such as “I’m in a limited service area” where a prompt phone call for clarification is out of the question
  • Check every email address carefully, especially the one coming from your boss and those demanding money transfers
  • Beware of urgent or threatening tones in email and always view it with suspicion
  • Always notice bad grammar and typos in the emails as well as in the domain names
  • Always use two-factor authentication for your business email account
  • Use a security suite that encompasses email spam filters, such as SolarWinds MSP Mail Assure, Symantec Mail Security for Microsoft Exchange, Comodo Dome Antispam, SPAM fighter, MailCleaner, SpamTitan and Trend Micro Smart Protection Complete Suite

Conclusion

We can now see that a message from the boss should be carefully analyzed before responding or taking action. Negligence on your part may result in you losing your job and reputation and putting a black spot or question mark on your career.

In this article, we discussed how CEO fraud works, potential red flags such as emails containing time-sensitive issues or sudden urgency, and spoofed emails. We also looked at different methods of attack, including gift cards and targeting the HR department. 

This type of scam can be avoided if the organizations and employees take some proactive measures such as getting robust training, formulating policies, using two-factor authentication and using a security suite employing email spam filters.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Sources

Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.