Blog

Why CEO Impersonation Attacks are So Hard for Spam Filters to Catch

Why CEO Impersonation Attacks are So Hard for Spam Filters to Catch

05/01/2018

 

Why CEO Impersonation Attacks are So Hard for Spam Filters to Catch

CEO Impersonation attacks, including wire fraud attacks, have become a favorite for cybercriminals because of the potential of a huge payday. A successful attack usually means tricking the victims out of thousands of dollars—we’ve seen up to $100,000 taken. And they’re almost impossible for even the best email filters to catch.

A CEO impersonation attack (sometimes called business email compromise (BEC) scams) is where the attacker pretends to be the CEO or another high-level official and emails someone lower down in the organization. They will request urgently request something—typically money sent via wire transfers, though personnel files or other sensitive information does come up sometimes.

Even the most robust filters built to catch malicious content can’t catch most wire fraud emails—because, in the filter’s eyes, there isn’t anything to catch. Email filters look for malicious links and attachments. Most CEO impersonation attacks don’t use these in their attack. To a filter, these emails are completely innocuous.

The one place where you may be able to catch these is if the attacker uses a spoofed email to carry out the attack. Spoofing is when the attacker makes it look like the email is coming from the CEO’s real email when it’s really not. Some email programs or filters allow you to flag email addresses that should never be spoofed.

Where it gets even harder to catch these emails is when the cybercriminal has done their research and gotten access to a real account—which is becoming increasingly common. The way they usually do this is by targeting high-level officials with phishing attacks with fake login screens to trick the victims into giving up their credentials.

We’ve also seen versions where the attackers will get into the account of a lower level employee, like an admin assistant, with send-as privileges. They’ll use the send-as privileges to send CEO impersonation attacks that look like they’re coming from the CEO.

Again – even the best email filter isn’t going to catch these attacks since the emails are coming from a legitimate source. There isn’t anything that appears malicious to your email filters.

So what can you do?

As the person receiving the emails, there isn’t a whole lot you can do about CEO impersonation attacks and other wire fraud scam outside of being careful and taking a second look at emails. Never wire money based on an email alone—always get at least a voice confirmation from the person requesting the wire transfer.

We do still absolutely recommend putting filters in place that scan your emails for malicious links and attachments—these phishing attacks are still a very real threat. For Office 365 users, we recommend Office 365 Advanced Threat Protection (this is what we used in our own business).

We also recommend implementing multi-factor authentication, which protects your account even if someone has your username and password. This will prevent a cybercriminal getting into your account and using it to launch other attacks (and stealing information while they’re in there). At a minimum, this should be implemented for any executives/VIPs, anyone with admin access, anyone with access to personnel or financial information, and anyone with send-as privileges for email.

As a company, having very clear—and very strict—policies around when you can wire money (no matter who the request is from) can help your team know what’s real and what isn’t. Your team should also get cybersecurity training, so they know the warning signs of an attack.

There is never a 100% guarantee when it comes to cybersecurity, but preventative measures, comprehensive training, and clear policies can go a long way to preventing an attack from hurting your business.

 

On-Demand Cybersecurity Training

 

   
Ultimate Guide to Small Business Cyber Security