How to turn the tables on fake CEO scammers

Graham Cluley

Ceo scam thumb

How to turn the tables on CEO wire transfer scammers

CEO wire transfer scams (also sometimes known as whaling attacks, BEC, or Business Email Compromise) are becoming a big problem.

Scammers, impersonating a CEO or other high-up executive inside a company, send an urgent request to a more junior member of staff, urging them to forward sensitive information or transfer a large amount of money.

The problem is that no-one likes to say “no” to the big boss.

As a result, some companies have had many millions of dollars stolen from them – recently, for instance, I wrote about a European firm which lost 40 million Euros after it was targeted by an email scammer.

Security consultant Florian Lukavsky decided that it was time to fight back against attacks like this, and told the HITB conference how he created a boobytrapped PDF file, capable of grabbing information from any computer on which it was opened.

The Register takes up the story:

“Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters,” Lukavsky says.

“We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information.”

“We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook.”

The information gathered was shared with police, who later arrested the perpetrators.

Lukavsky recommends that companies put in place a variety of organisational and technical defences to prevent themselves from becoming the victims of BEC.

These include:

  • Raising staff awareness of the threat, and common techniques used by scammers.
  • Defining processes for making legitimate payments.
  • Enforcing strict use of business email addresses for business purposes.
  • Not accepting emails with your domain from foreign mail servers.
  • Fully implementing email authentication, making it harder for criminals to spoof your company’s domain name in the “From” field.
  • Using email signatures / encryption (S/MIME / PGP).
  • Marking external emails in the subject line.
  • Strong authentication for web mail users.

For more information, check out the slides from Lukavsky’s presentation.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

8 Replies to “How to turn the tables on fake CEO scammers”

  1. I've used the process of scamming the scammer. I did this when I was contacted by a scammer who was acting as a real estate agency for a property in Mexico. I reverse engineered the process and found discovered that the scammer, who called himself Reverend John Tony, was actually Lillian Hernandez who lived in Yonkers, New York. I was able to get her bank account information and once I did, I called her bank and forwarded them the entire email thread. I also did the same with Yahoo. Rev Tony, a.k.a. Lillian Hernandez vanished like a puff of smoke and I never heard from him/her again. Score one for a potential victim.

  2. Hmmm. PDF files to booby trap the scammers. How do we *really* know those PDF files at the end of the article are slides from Lukavsky's presentation?

    ;)

    All kidding aside, it's wonderful to hear when the scammer gets what he/she deserves.

  3. The problem with this "Not accepting emails with your domain from foreign mail servers." is that this is precisely how email reflectors work. You work on a collaborative email server with other external companies and your own emails come back to you and your colleagues, sourced from your domain but redistributed. Blocking these causes a problem…

    1. If you use DKIM, DMARC and SPF in conjunction with each other then you won't find your emails blocked.

      It's best practice to configure these but seeing all three configured correctly is rare. It's not difficult and is mainly down to the incompetence of system administrators / lack of knowledge / use of legacy systems.

  4. "Scammers should be just as cautious of PDFs as the rest of us"

    Quite so. Oh look, here's another Graham Cluley article with the title
    "Dell has acquired RSA – download a PDF to read all about it".

    A good thing I trust Graham not to mess with his loyal fans :)

  5. FYI – The live presentation by Florian Lukavsky, titled 'Fake President Fraud Defrauded', dated September 13, is available on YouTube. It is just over 28 minutes duration:
    https://youtu.be/HQwh5whOAr4

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES