Executives / CxO level targeted in CEO Email Abuse scams

Only this past week has news come out that a CEO of a large aircraft parts manufacturer for Airbus has been sacked by the board for losing €50million in a spear phishing / CEO email abuse email. News article is available here. Furthermore, the FBI reported that across a 2 year period, some 18,000 people lost close to $2.3 Billion from such a compromise. Check out the FBI report here.

Typically, such a scam would involve the recipient organization receiving emails to key staff that are typically functionally based. In other words, invoice payment themes to the finance department or even account lockouts to operations and customer service. The point is that there is some level of familiarity from either the brand associated in the email or the person that is purporting to send the email. Of course in both cases it is a fraudulent email that is using a widely known technique of email domain spoofing. Check out the previous blog – The-fundamental-flaw-in-email. There are simple steps that can be taken to avoid such severe outcomes.

1. DMARC compliance – The DMARC RFC specification has only been around for a couple of years, but it is the most effective technique to mitigate and STOP email domain spoofing against:

Employees receiving spear phishing emails, CEO email abuse emails etc,Customers receiving spam email that also use your email domains that most likely contain malware, andExternal 3rd parties, vendors/suppliers receiving fraudulent emails for payment that also use your email domains, again most likely riddled with malware and ransomware.

The effort required for DMARC implementation is less than 30 minutes if you know what you’re doing. Dmarcian has a heap of information and FAQs to help you get started. Otherwise I’m sure they would gladly assist. The implementation and monthly monitoring and reporting costs for DMARC are disproportionately low compared to the benefits that it can provide.

2. Security Awareness Training – knowing that employees are the weakest chain in the link, makes it obvious to add some level of control to the people factor. Building a human firewall to prevent employees (finance, exec level) in key positions making silly errors is a very effective mechanism to raise awareness to the current cyber threats.

Initially create awareness training for specific groups ie executive level, finance and gradually take it to all employeesFocus on topics that are current such as how to spot fraudulent accounts payable requests, general aspects such as clicking on links within emails, password protection and even what is ransomware.Continuous testing would also be advisable with many systems allowing the creation of fake phishing emails to identify those that need more training!

3. Vendor Protection Process – as your organisation implements email domain protection it’s not unreasonable to expect your key vendors/suppliers to also do the same. In fact, I would recommend that ALL your vendors be DMARC compliant. The reason is simple – familiarity. Going back to the people issue discussed above, familiarity can encourage a level of complacency that can result in ransomware getting in to your organisation because that purported sender of the email is seen as a known entity.

In an era where technology can be seen as the panacea to all our issues, it is important to remember that people and process are also just as important to the three legged stool ( that’s a story for another day). Let’s not forget the simple steps that can enhance our general security.

By Con Lokos