How a corporate email compromise scam impersonated the chief financial officer of a large corporation
In one scam analyzed by Avanan, victims received an email claiming to be from the chief financial officer directing them to pay their insurance company.
Business email intrusion attacks work using a standard phishing scheme and then give it authority by impersonating a trusted and often high-ranking individual associated with targeted organization.
In one Thursday release report25, email security provider Avanan described a particular scam that impersonated the chief financial officer (CFO) of a major sports company in an attempt to steal money.
Phishing attempt disguised as a payment request from the CFO
In this attack, the phishing email impersonated the CFO with a request to send a payment to their insurance company. Asking the recipient to pay via ACH electronic transfer, the email includes a forwarded message and an attached PDF file that is believed to be an invoice from West Bend Mutual, an actual insurance provider. The From address in the forwarded message is listed as West Bend Mutual, but the actual replying address is different from the provider’s physical address.
The message that something is confusing comes from a banner that appears at the top of the email warning recipients that “this email may not be from the displayed sender” (Picture A). The banner was added by the organization’s Office 365 installation, a useful feature that alerts users to a potential scam.
In a second phishing campaign that Avanan discovered, the attackers used the same fake content from the insurance company West Bend Mutual. In this message, the “Contact Us” email address at the bottom spells Silver Lining as “Silver Linning.” However, there is no notification banner at the top alerting the recipient that the email address does not match.
UNDERSTAND: How credential phishing attacks threaten a wide range of industries and organizations (TechRepublic)
The first email quoted failed because the banner warned the user that something was wrong. However, business email intrusion attacks often work for a few different reasons.
By impersonating an executive in the targeted company, these malicious emails take advantage of employees’ desire to please their bosses and management. These types of emails are also very difficult to block.
External email gateways cannot parse the context of such a message. They only see that the email is from the CFO or another senior executive, so they allow these messages to be forwarded. Banners alerting users to email address mismatches are important safeguards. But too many of those banners can lead to users ignoring them.
Cybersecurity education for employees is important, Avanon says
Instead of relying on external email gateways and warning banners, your best bet is to proactively block these types of attacks, so that employees don’t have to decide if a message is legitimate.
However, it’s still important to educate employees, as some spoofed phishing emails always get past your defenses. To achieve that goal, Avanan offers some advice:
- Inform users to always check replying addresses in emails to make sure they match.
- Instruct staff to ask the original sender for confirmation if unsure about the legitimacy of the email.
- Encourage users to contact someone on your finance team before making emailed invoices.
- Remind employees to read the entire email to scan for inconsistencies, typos, and other errors.
- Ask users to be transparent about all messages with links and attachments.
- Remind users to share personal information only in real time and in person.
- If your software or security product uses warning banners, be sure not to use them to attack your users. Forward such banners only at important times, so that recipients take them more seriously.
- Configure your account to notify you of any changes.
- Set up multi-factor authentication for all accounts, especially email.
- Use a password manager in your organization to create and store user passwords.
