You get an email from your boss, it says “Sorry to bother you on a Saturday, but I need help with a time-sensitive project – could you please respond?”
The email looks like it was sent from a gmail address matching your boss’s name, and it says “Sent from my iPhone” in the footer…odd, but seems legit, right? Do you respond?
Many people would, with possibly disastrous (and expensive) consequences.
This is a frequent tactic used by bad online actors looking to trip you up with something called “business email compromise” or BEC. The sophistication of these fraud attempts makes them easy to mistake as real.
The scammers are taking the time to look into which staffers might have access to financial info and who would be in a position of authority as a credible sender of such a request. Often, but not always, there is malware attached to these exchanges, so that – by responding – the door is opened for a cyberattack.
Although the perpetrators of BEC—also known as CEO impersonation—use a variety of tactics to fool their victims, a common scheme involves the criminal group gaining access to a company’s network through a spear-phishing attack and the use of malware. Undetected, they may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of e-mail communication and even his or her travel schedule.
When the time is right, often when the CEO is away from the office, the scammers send a bogus e-mail from the CEO to a targeted employee in the finance office—a bookkeeper, accountant, controller, or chief financial officer. A request is made for an immediate wire transfer, usually to a trusted vendor. The targeted employee believes he is sending money to a familiar account, just as he has done in the past. But the account numbers are slightly different, and the transfer of what might be tens or hundreds of thousands of dollars ends up in a different account controlled by the criminal group.
So, what can you do to protect your organization from these kinds of attacks?
MACo’s partner, the Center for Internet Security, has several recommendations to protect local governments from falling victim to email fraud schemes. These include crafting policies to ID and report BEC and similar phishing scams, training, response plans, and more. View the in-depth security primer and BEC protection recommendations from CIS.
The Center for Internet Security (CIS) provides security assessment and consulting services to help organizations identify critical system weaknesses with a customized plan designed to meet the unique cybersecurity needs of local governments. For more information, contact Ryan Spelman of CIS at Ryan.Spelman@cisecurity.org or visit their partnership perks page.