Editor’s Note: This is the second in our ongoing series on executive impersonation. We recommend beginning with Part One.
Technically speaking, executive impersonation schemes are a flavor of the fraud du jour: Business Email Compromise (BEC). This general category encompasses the new kinds of fraud we’ve seen in recent years, ones that rely on tricking employees into clicking malicious links, installing virus-laden software, executing improper financial transactions, etc. Most of these tactics require the fraudster to impersonate a person or institution the recipient knows and considers authoritative, e.g. a bank, the IRS, or a well-known corporation with ubiquitous consumer products. The most insidious tactic, however, is executive impersonation. Due to the research and specificity required to pull it off, this kind of fraud carries the potential for very serious breaches in network security and/or company finances. Understanding the two major ways perpetrators utilize this tactic is critical to protecting yourself, your employees, and your business.
An Urgent Request From A Boss
This kind of BEC is precisely what happened to our client (see the story in Part One of this series). In this model, the hacker/thief researches and chooses a senior (C-suite) executive to impersonate. They then create an email address with a domain very similar to but subtly different from that of the target. For example, firstname.lastname@example.org may be impersonated as email@example.com. The difference (one of the lower-case Ls is replaced with a 1) is minor enough that an uncritical eye could skim right over it without realizing that John Doe didn’t actually send the email. Fake email address in hand, the perp then researches when the executive will next be out of the office (on vacation, at a conference, etc.) and reaches out to lower-level staff with urgent, vague requests to transfer money to an external bank (often foreign). To reiterate, our client was targeted a total of three times (two successful) by the same fraudster over the course of a week. By the time anybody realized what had happened, they had lost nearly $30,000.
A Strongarm Request From A Vendor
Executives and people who actually work at an organization are not the only disguises of digital imposters. Many malicious actors try to execute a similar scheme by researching and pretending to be a vendor or supplier of the target organization. In this model, the “vendor” sends the accountant (or whomever) an aggressive request to send or redirect funds. For example, the vendor may request that future invoices are fulfilled via wire transfer to a foreign bank account. The request may seem sufficiently ordinary that money is rerouted without question, and the organization only finds out once the actual vendor notices that their invoices aren’t being paid and follows up with a disgruntled call. Larger organizations (especially international ones) are at greater risk of this type of fraud; the bigger an organization gets, the more likely they are to utilize large, external vendors with whom they have infrequent communication.
Always Scrutinize Unusual Requests
Most versions of BEC have something in common: they require you or your staff to drop the ball. Somebody may click an innocent looking link, unwittingly install malicious software, fulfill what they assume is a normal request from a superior, or ignore standard procedures for the sake of expediency. In future installments of this series, we’ll take a closer look at:
- strategies for coping if you find yourself a victim
- ways you can prepare your organization to recognize and prevent threats
Keep an eye out for future posts on this subject, and please don’t hesitate to contact me with questions or comments in the meantime.