Targeting the head of a company has never been so profitable, according to a warning issued by the FBI in January which has now been revisited due to a 270 percent increase in victims detected / exposed losses.

However, it’s not what you think – the criminals aren’t sending mails trying to fool the boss into signing up to a 419 “You’ve won millions, honest” fakeout.

They’re pretending to be the boss, and asking other employees to wire money in a hurry. The emails are hard to detect and likely won’t be flagged by spam filters as they’re highly targeted. They’re also being sent from the supposed CEO to another employee, instead of the other way around.

Many people expect scams to work their way up a chain of command, and this unexpected nature of the attack – along the social engineering pressure being lightly exerted (“Oh hey, the boss asked me to do something so I better do it…”) means this is cash in the bank for the people behind it.

Once the scam is done and dusted, the money has most likely been sent in the direction of China / Hong Kong, and is as good as gone. This technique has been around since at least 2013, but doesn’t seem to be very well known in comparison to other types of criminal activity and has so far racked up $750 million from 7,000+ victims over the last two years.

That’s an awful lot of fictitious CEOs floating around the workplace.

Here’s how the scam works:

  1. The scammer registers a URL which looks like the real thing. Think typosquatting, but with large pots of money being the goal instead of random spam redirects and imitation search engines. They’ll use this URL to send their imitation email from when we hit step 3.
  2. They build up a picture of the CEO they’re claiming to be. This can be aided by phishing and / or Malware, but where that’s not an option they can also be helped along in cases where the CEO is a known public figure. Of course, the less they do in terms of potentially noticeable activity the more chance they have of getting away with it. Once they start bogging down their otherwise clean data collection process with phish attempts and targeted Malware all bets are off.
  3. At this point, fake mails asking for wire transfers are sent to members of staff, typically related to finance and often tinged with a distinct sense of “I need this money now because of x, y and z”. As mentioned earlier, a lot of companies would accept that the boss actually is the boss, and not an imitator. They’re relying on nobody wanting to make themselves look foolish by questioning the CEOs request – despite that act of verification being the very thing that could save your company from taking a painful financial hit.
  4. Congratulations, you have lost a terrifying amount of money.

Scammers actually tried something along these lines on our very own CEO back in July (they failed, of course). With total losses now hitting somewhere in the region of $1.2B, there’s never been a better time to shore up your money transfer defences.

Find out why Hong Kong is a popular base of operations for the scammers, check out some of the ways you can prevent wire fraud [PDF], and take note of some of the other ways crooks can burrow into your finances.

It only takes one email to start a chain reaction which could devastate your company finances – if you don’t put a robust system of verification in place, your business might find itself added to the ever growing FBI list of known victims wondering where all the money went.

Have you been targeted by something like this? If so, feel free to let us know in the comments. The tactics you expose could help save someone from a bad day in the finance department…

Christopher Boyd