Part III: CEO Fraud ~ Social Engineering

Social Engineering: All of these techniques fall under the broader category of social engineering. This innocuous sounding label originally meant the application of sociological principles to specific social problems.

But within a security context, it has come to signify the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel.

This can include their contact information, connections, friends, ongoing business deals and more. Unfortunately, these scams have a high rate of success. The Verizon 2016 Data Breach Investigations Report revealed a shocking 30% of recipients open phishing messages and 12% click on attachments.

Many of these breaches happen within two minutes of receipt. That means IT has little chance of catching this malicious traffic before it hits inboxes. While phishing emails may not directly lead to CEO fraud, they are the top avenue of entry for malware and
spyware into the enterprise.

Once inside, cybercriminals can bide their time casing out the financial
connections and interactions within the company. They eventually learn enough to spring a convincing BEC attack, usually posing as a company executive or accounts personnel. They can sit unobserved for months while they study the key individuals and protocols necessary to perform wire transfers within that business environment.

The FBI identifies five main scenarios by which this scam is perpetrated:
Business working with a foreign supplier: This scam takes advantage of a long-standing wire-transfer relationship with a supplier, but asks for the funds to be sent to a different account.
Business receiving or initiating a wire transfer request: By compromising the email accounts of top executives, another employee receives a message to transfer funds somewhere, or a financial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address.
Business contacts receiving fraudulent correspondence: By taking over an employee’s email account and sending invoices out to company suppliers, money is transferred to bogus accounts.
Executive and attorney impersonation: The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters.
Data theft: Fraudulent e-mails request either all wage or tax statement (W-2) forms or a company list of personally identifiable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, accounts or auditing departments.

Next post find out who is at risk and while your waiting with bated breath remember.. Think Before You Click!

Tina Louise ~ ~ 888.871.6584


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s