The boss has sent an email marked “urgent” in which she explains to her employee that it concerns a matter that requires a speedy resolution. A lucrative business investment abroad needs to be wrapped up but this requires a large transaction. The email states that complete discretion must be maintained for strategic reasons before word gets out to the general public. It goes on to explain that the employee must first transfer funds from the company account – ultimately because ‘the boss has complete faith in the employee’s skills and discretion’. It ends by instructing the employee once again not to breathe a word to anyone until the ‘boss’ makes contact again… – and you’ve already guessed what happens next. If the employee follows the instructions of the alleged boss, the transferred funds will simply disappear never to be seen again. The initial reaction of most readers is that nobody could possibly fall for this scam! Could they?
Unfortunately, things are rather different in the real world. Identity spoofing has long been used by criminals as a method of attack and with great success – otherwise, it would long since have been abandoned. The key to this approach is the pretence of being a contact of the victim and encouraging them to cooperate. In many cases, criminals do this by urging the victim on and applying pressure. This is designed to induce employees to take rash actions. Such attempts can involve not only money transfers but also the disclosure of confidential information that the attackers can then use for subsequent fraud attempts.
Of course, their tricks are not always successful. Suspicious employees who try to contact the alleged client with queries will quickly expose the fraud. And although many attacks end in failure, the large sums targeted by the cybercriminals mean that just one success more than makes up for dozens of failed attempts. In order to put an end to such attacks, it is vital to raise awareness of them at all hierarchy levels in the company. Employees should know about the attackers’ methods and how they can protect themselves.
How perpetrators apply identity spoofing
As a variation of social engineering, identity spoofing sets out to exploit the human vulnerability. This means that every identity spoofing attack requires painstaking research in advance. Criminals prepare their attacks by collecting details about employees from company websites and business networks such as LinkedIn – including their internal company contacts and business partners. Anyone authorised to execute transactions from business accounts is of particular interest as a potential victim.
When they finally make contact, the perpetrators usually opt for email as the least risky form of communication. Although email accounts are frequently hacked, most perpetrators are quite happy to use a fake sender that appears genuine at first glance. Email signatures that appear legitimate are even easier to copy or forge. With the help of this disguise, the cybercriminals pass themselves off as managers or business partners and draw their victims into a scenario where two things matter above all else: everything must be done urgently and nobody is to be informed.
Additional tricks are used to bypass the usual security measures that verify transactions from the company’s bank account: The victims are asked, for example, to contact a law firm or an external consultant using a specified telephone number. This number connects the hapless victim to the fraudsters, who then pile on the pressure during the ensuing conversation.
Once the perpetrators manage to persuade their victim to complete a money transfer, events move very quickly: the recipients of the illicitly obtained funds swiftly transfer the sum onwards. By the time the fraud is finally revealed after a few hours or days, the money has become untraceable.
Identity spoofing: important keywords
There are a number of important terms to know, which repeatedly crop up in conjunction with identity spoofing. We provide a brief overview below:
What is CEO fraud or fake president fraud?
CEO fraud, also referred to as fake president fraud or bogus boss email, is where fraudsters pretend to be a managing director or chief executive officer. Perpetrators will often exploit information about the boss travelling abroad or being otherwise difficult to reach – some of which can be obtained from posts by executives on social media networks. In such cases, employees will frequently hesitate to reach out to the executive with queries.
What is a business email compromise (BEC)?
Does it involve email attachments containing malware or links that lead to a prepared website? Cybercriminals don’t necessarily need to resort to these types of rudimentary attack methods, which modern security software can easily detect and filter out anyway. When employing business email compromise (BEC), cybercriminals rely on perfectly forged sender addresses, email signatures and disclaimers and expertly drafted formulations to put their victims under pressure. Since not all security programs can reliably detect these types of fraudulent messages, it is important not to underestimate the grave threat posed by business email compromise.
How to protect yourself from CEO fraud
What can companies do to prevent CEO fraud, business email compromise and other similar methods? There are three basic rules that you must bear in mind:
- Forewarned is forearmed: companies should carefully explain the mechanisms of identity spoofing to their employees. When it comes to remittance requests, it is also essential to ensure that all hierarchy levels check the authenticity of the email address of the person posing as the initiator of the transaction. When in doubt, employees are much better off asking too many questions instead of too few.
- Credit transfers should be subjected to the four-eyes principle and should be allowed exclusively with joint signatures. But be careful: a recent example from Bavaria in Germany shows that even a second signature does not protect the account if the second person fails to check the transaction properly.
- It should not be possible to access information on the company website or on the social media accounts of employees that could be misused for social engineering attacks. In particular, dates of birth, home addresses, complete lists of contacts or travel itineraries should not be publicly accessible. In business networks such as LinkedIn, it is also possible to separately restrict the visibility of shared and published posts, profile photos, surnames and dates of birth.
Keeping the identity verification requirements for credit transfers under wraps within the company will effectively block any attempts at identity spoofing.