Spear phishing – CEO fraud

We get a lot E-Mails every day, but when receiving a message from the boss (or another company leader) we are on alert.

This is how criminals try to get our attention, and just lately we (i.e. recipients at IST Austria) received a couple of emails impersonating managers/heads of IST Austria. These – so called spear phishing attacks – have the goal to trick us into a CEO fraud.

What should I do?

Never reply to such an email, just forward it to it@ist.ac.at and delete it from the inbox.

If you are unsure, always expect the worst, and contact IT, your supervisor (or the person who seems to have sent the request) by a different channel you know (e.g. phone) and never by information from such an E-Mail!

Why are such E-Mails not filtered?

Unfortunately, these E-Mails are very generic (in means of words/sentences in the E-Mails), which you can see in the examples below, so filtering for the text is just not possible.

But the E-Mail address does not fit the sender name!

Yes, this is true, but this is also a feature of the SMTP protocol, to allow such discrepancy. It’s also used quite frequently from legit E-Mail addresses like e.g. our ticketing system:

As you can see, the same E-Mail address has different names. Such could also happen, if you configure your E-Mail client with a slight difference to our Systems (e.g. adding/removing an initial, order first- lastname differently) .

Also many other internal / external services use this feature. Filtering is unfortunately nothing we can just “turn-on” but we’re certainly working on rules which allow a bit more control.

Current examples of such emails

The information of the emails below could come from our homepage, see EM-Facility

See: Miba machine shop on our homepage, where the information is, that Todor is the manager of the machine shop.

From a safe account, we also tried to get more information about the attack, so we answered to find out, what the next step of the attacker might be.

Answering to such a phishing is not likely to harm your system, you should still never do this on purpose, as your E-Mail client sends a lot of information you probably don’t want to share with a potential attacker!

As you can see, the attacker want’s to trick us into buying gift-cards – so it’s still an issue for the person who bought the cards, as those won’t be reimbursed – but it’s still far away from the €50 million an Austrian company lost in 2016 because of such an attack. (about €11 million could be recovered, and for more details about such and other attacks see: IT Security Awareness Training)

What is CEO fraud?

CEO fraud involves the impersonation of a senior company executive in order to divert payments for goods and services into a fraudulent bank account. Fraudsters will typically target a company’s finance department, either via email or over the phone.

What is spear phishing?

This is a much more focused form of phishing. The cyber-criminal has either studied up on the group or has gleaned data from social media sites to con users. A spear phishing email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client, or in some case adding a (almost proper) signature.