How a business email compromise scam spoofed the CFO of a major corporation
In a scam analyzed by Avanan, the victim received an email claiming to be from the CFO directing them to make a payment to their insurance company.
Business email compromise attacks work by using a standard phishing scheme and then lending it authority by impersonating a trusted and often high-ranking individual associated with the targeted organization.
In a report released Thursday, August 25, email security provider Avanan describes one particular scam that spoofed the chief financial officer (CFO) of a large sports company in an attempt to steal money.
Phishing attempt disguised as a payment request from CFO
In this attack, the phishing email impersonated the CFO with a request to send a payment to their insurance company. Asking the recipient to make payment via an ACH electronic fund transfer, the email included a forwarded message and an attached PDF file that claimed to be an invoice from West Bend Mutual, an actual insurance provider. The From address in the forwarded message listed West Bend Mutual, but the actual reply address differed from the provider’s real address.
The tipoff that something was fishy came from a banner appearing at the top of the email warning the recipient that “this email may not be from the displayed sender” (Figure A). The banner was added by the organization’s Office 365 installation, a helpful feature that alerted the user to a potential scam.
In a second phishing campaign seen by Avanan, the attackers used the same West Bend Mutual insurance company spoof. In this one, the “Get in touch” email address at the bottom spelled Silver Lining as “Silver Linning.” However, there was no banner notification at the top warning the recipient that the email addresses didn’t match.
SEE: How credential phishing attacks threaten a host of industries and organizations (TechRepublic)
The first email cited was unsuccessful because the banner alerted the user that something was wrong. However, business email compromise attacks often work for a few different reasons.
By spoofing an executive within the targeted company, these malicious emails take advantage of the desire by employees to please their bosses and managers. These types of emails are also challenging to block.
External email gateways are unable to analyze the context of such a message. They only see that the email is from the CFO or another upper-level executive, so they allow these messages to pass. The banner that alerted the user to a mismatch in the email addresses was the critical defense. But too many of those banners can lead to users simply ignoring them.
Employee cybersecurity education is critical says Avanon
Rather than rely on external email gateways and warning banners, your best bet is to proactively block these types of attacks, so employees don’t have to decide whether a message is legitimate.
However, employee education is still critical, as some volume of phony phishing emails are always going to sneak past your defenses. Toward that end, Avanan offers several tips:
- Inform users to always check the reply-to addresses in an email to make sure they match.
- Instruct employees to ask the original sender for confirmation if unsure about the legitimacy of an email.
- Encourage users to contact someone in your finance group before acting on invoices sent via email.
- Remind employees to read the entire email to scan for inconsistencies, misspellings and other errors.
- Tell users to be dubious of all messages with links and attached files.
- Remind users to share personal information only in real time and in person.
- If your software or security product uses warning banners, be sure not to bombard your users with them. Only turn to such banners at critical times, so the recipients take them more seriously.
- Configure your accounts to notify you of any changes.
- Set up multi-factor authentication for all accounts, especially email.
- Use a password manager within your organization to create and store user passwords.