Is the Quanta Magazine serious and credible

The boss trick: How CEO fraudsters cash in on emails in Germany

Business E-Mail Compromise (BEC) describes scams in which criminals pretend to be the boss, deceive employees and steal large amounts of money through arranged transfers. The CEO scam is only one variant of BEC. The characteristics of this are: Criminals pretend to be a privileged person - CEO, lawyer, customer - via email and request information or actions from employees in the finance department.

A CEO scam email to the accounting department could look something like this: “Hello XYZ, we are about to take over a company. Due to your great work and your discretion, you will take over the accounting part of the project. Many greetings, ZZZ. "

Where XYZ is the first name of an existing employee in the finance department of the attacked company and ZZZ is the name of the managing director or chairman of the board (CEO, Chief Executive Officer) or the chief financial officer (CFO). The senders of the messages are not CEO or CFO, but criminals who have previously researched the names of the employees in the finance department, mostly via social media, and then send instructions by e-mail with a fake sender in the name of the CEO or CFO.

What all messages have in common is that they flatter the recipients ("I remember you as a particularly reliable, capable colleague") and swear them to absolute secrecy. Nobody in the company should know anything about the "strategic project" that the company management is currently working on. The respective employees are only allowed to communicate with the sender - the alleged managing director or chief financial officer - and only by email, never by phone. For the sake of confidentiality and - ironically - better documentation of communication: "Compliance regulations, you understand for sure". But the real reason is different: If the addressees pick up the phone to reassure themselves with the alleged sender, the attempted fraud is immediately exposed.

The CEO emails are not mass-produced

Since the fraudulent e-mails are targeted to individual employees, spam filters usually have no chance: The messages simply disappear in the background noise of daily e-mail communication. In addition, there is the social component: The fraudulent emails are mostly formulated convincingly and, through the mixture of flattery, secrecy and pressure, cleverly play with human weaknesses. Therefore, employees fall for the fraud again and again and are highly motivated to cling to the transfer orders.

Michael Schneider confirms that the emails sent as part of a CEO fraud are qualitatively different from the usual Nigeria connection, Viagra and dating spam. He is Associate Director IT & Security at the watch manufacturer IWC Schaffhausen and has been successfully fighting CEO fraud for years. The company is a very attractive target for BEC and other social engineering attacks. Thanks to early training and monitoring measures, all e-mails of this type have so far failed: “Most of the e-mails are deceptively real at first glance. Written in perfect German, the names of the recipient and sender match and the greeting of the alleged sender also matches. ”Every week, employees forward such e-mails to Schneider's team.

In other cases, too, such emails did not arouse suspicion at first. For example, they correctly responded to the usual way of addressing you or you in the respective company. This suggests insider knowledge, such as that obtained from leaked e-mails or through Trojan horse infections. As a spokeswoman for the Federal Criminal Police Office (BKA) told c’t, in the past criminals used information that companies publish in economic reports, in the commercial register, on their homepage or in advertising brochures to prepare for their actions. "They pay particular attention to information on business partners and future investments," said the spokeswoman. Even out-of-office e-mails are of interest, as the system of availability can be derived from them. According to the BKA, social networks in which employees disclose their function and activity or personal details are also an important source of information.

The bakers, but also Google and Facebook, are victims

The list of employers whose employees fell for the scam is long and prominent. From the criminals' point of view, the high score is certainly held by the now almost 50-year-old Lithuanian fraudster Evaldas Rimasauskas: over the course of two years, he and unknown accomplices brought Facebook and Google to over 120 million US dollars. And through another variant of the BEC: The fraudsters pretended to be employees of a legitimate supplier to the victim company. In this case, the Taiwanese computer manufacturer Quanta Computer, which in real life is likely to be supplying bespoke servers to the internet giants. Using bogus invoices and e-mail addresses whose sender domain was similar to the original domain name, the criminals sneaked a good 100 million US dollars from Facebook and over 20 million US dollars from Google.

German companies are also affected. For example, the Hofpfisterei bakery chain, which is well-known in southern Bavaria: an accountant transferred 1.9 million euros to the fraudsters' account at a bank in Hong Kong. The auto supplier Leoni AG even had to write off 40 million euros, which changed hands due to the CEO fraud. As a representative of the specialty insurer Euler Hermes told the business magazine Capital, the amounts of damage reported by those affected in Germany range between 750,000 and 15.5 million euros.

The U.S. Federal Police estimate that in 2018, CEO frauds stole $ 12 billion worldwide. According to the latest Federal Economic Crime Report by the BKA from 2017, Germany accounted for around 24 million euros in damage in the previous year. In view of the latently high number of unreported cases - many victims do not file a report for fear of losing their image - it can be assumed that the actual amount of damage will be higher. The BKA is convinced that the effectiveness of the awareness-raising measures carried out so far by the law enforcement authorities can be seen from the increasing number of crimes that remain in the experimental stage. "In the successful cases known to the BKA, quick action by various institutions and cross-border police cooperation prevented fraudulently obtained funds amounting to 26 million euros from actually reaching the perpetrators," explains a BKA spokeswoman.

The variant: "All bills once, please"

Despite a possibly lower chance of success, perpetrators are still trying. At IWC Schaffhausen, e-mails that also supposedly came from the CFO have recently made it into the mailboxes. However, they did not ask for transfers as part of a company takeover, but for a list of all invoices received in the last four weeks. Why the whole thing? Using this BEC variant, criminals can get an overview of the listed suppliers and get a feel for the regions in which the invoiced services are located.

This information is an indispensable basis for the next step of the fraudsters: They pretend to be an employee of one of the more promising suppliers via e-mail - similar to the Lithuanian criminal - and ask for changes to the master data stored by the victim company. Specifically: the bank details. If the accounting department complies with the request, the tricksters only have to wait for the next invoice from the legitimate supplier. The money is then automatically transferred to your account. Typically, this is only revealed when the actual supplier sends a reminder for the transfer. The example of a provider of antivirus software based in Europe shows that this method is successful even with well-informed companies: the accounting staff did not suspect anything and changed the master data in the SAP ERP system as requested by the criminals.

Armaments against CEO fraud

Once you become familiar with the methods behind CEO fraud, you should be able to spot the pattern straight away. Therefore, informing the workforce about this and other scams is essential for Michael Schneider from IWC: “We have been running an information campaign on all aspects of cyber security for several years. As part of this awareness program, for example, through blog posts on the intranet or live hacking, we convey the knowledge that is necessary to ward off the relevant attacks, ”explains Schneider. The IT security officer is convinced that the training has made the workforce sufficiently aware to recognize attempted fraud and to forward corresponding e-mails to the IT security colleagues. According to Schneider, IWC has so far not suffered any financial damage from CEO fraud.

In addition, companies must also introduce binding processes in order to nip attempted fraud in the bud. For example, employees in the finance department can call the CEO, CFO or their assistants to confirm whether the request is legitimate.

Sonja Catani, managing director of the Swedish pet supplies supplier Hugo & Celine AB, chose a different path: At the beginning of each month, she verbally agrees a code word from the area of ​​food such as "chocolate spinach" with the employees in controlling. The money will only go out if this code word is found in a transfer request sent to the accounting department by email.

According to Schneider, employees can also prevent fraudulent messages from ending up in their mailbox in advance. “The colleagues have to pay attention to what data they disclose about themselves on the Internet. For example, post details about employers, tasks or business trips on Facebook so that the information is also visible to users outside of their direct circle of friends, ”he explains.

Details about travel can be misused to make emails to employees in the finance department look more credible. Data economy should also apply to profiles on the business networks LinkedIn and Xing. No references to specific department affiliation should be given here, in order not to maneuver yourself into the crosshairs of CEO fraudsters. The complete abandonment of profiles in the business networks is also not expedient: Then fraudsters could create fake profiles of the people and contact real acquaintances and business partners on their behalf in order to eavesdrop on them.

Even if CEO fraud is not a technically demanding and clever attack - authorities such as the BKA sort the scam in the white-collar crime department and not in cyber crimes - there is still a technical remedy: companies sign all e-mails via S / MIME or PGP, fraudulent messages can be identified quickly. No matter how convincingly the supposed CEO formulates the assignment. (of)

Recognize CEO fraud and nip it in the bud

There are various factors that employees can use to identify the boss scam:

- The language: If an email comes in in English, although the company language is German, the alarm bells should ring.
- At the return address: If you click on “Reply”, e-mail clients typically show the name of the supposed sender and the e-mail address from which the message originates. If you can see an address that does not belong to the company, you should pay attention. However, attackers can disguise the real email address so that this is not a universally valid characteristic.
- At the request: Has this person ever made a similar request before? Or could she / he collect the requested data himself / herself without great effort? Even then, caution is called for.
- The salutation and the greeting: If you are the sender and recipient, a "Hello XYZ" is suspect. The same applies to the greeting formula: Does the real sender sign their emails with their full name? Or just with his initials or his first name? In the event of a deviation from this, the following applies: Under no circumstances should you reply to the e-mail.
- Inquiries: Before employees approve financial transactions, they should always seek personal contact with management beforehand and explicitly follow up. This also applies to the disclosure of sensitive information to the outside world.

This article comes from c't 16/2019.