CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives

  • 01 October 2019

You’re sitting at home when your phone lights up. It’s an email from the CEO. Subject line: “Urgent”.

Your heart rate rises a little. It’s after hours – it must be something serious. And aren’t they meant to be on holiday this week?

“Hi – I’ve just had a call from Supplier X in France. We need to change the account details for the invoice that’s due to be paid tomorrow. I’m OOO so can’t look at it. Could you help? Sorry for late message.”

You check the accounting platform. The invoice is there, ready to go tomorrow. It takes less than two minutes to amend the details. You notify the CEO that the job’s done. (Maybe they’ll mention to your boss how you helped them out!)

The reply comes: “Excellent – thanks for sorting this. Great job.”

A good evening’s work, right? Unless your “CEO” isn’t who you think it is.

What is CEO fraud?

  • CEO Fraud

    CEO fraud (or CXO fraud) is a type of spear phishing attack where attackers impersonate a CEO, CFO or another high-level executive. Attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk.

CEO fraud is a form of Business Email Compromise (BEC). It’s just one part of an epidemic of email impersonations that are responsible for billions of dollars in losses around the world. Collectively, Business Email Compromise scams have been responsible for $26bn in enterprise losses. According to the FBI, “Between May 2018 and June 2019 there was a 100% increase in identified global exposed losses.”

CEO fraud and other BEC attacks can cause extreme harm to organizations. A particularly common outcome, as with most BEC scams, is to extract money from the business by coercing an employee into making a wire transfer to a cybercriminal-controlled bank account. However, CEO fraud attacks can also seek to extract sensitive information like contact data and credentials, and even disseminate malware into an organization.

CEO fraud vs. whaling

CEO fraud and whaling are closely related, but far from identical.

The key difference is that in a whaling attack attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective.

Whaling is seen as an effective attack vector because senior leaders themselves are perceived to be “easy targets”. Leaders tend to be extremely busy, and they often enjoy access to the most sensitive information an organization holds. Verizon research has suggested that senior executives are 12x more likely to be the target of attacks such as phishing than other employees.

CEO fraud, meanwhile, uses the seniority of those high-level executives to exploit other employees within organizations. So what are the methodologies information security practitioners have to watch out for?

The most common CEO fraud techniques

As with so many email threats, at the heart of every CEO fraud attack is impersonation. This type of attack most often occurs by way of display name or domain impersonation. (We’ll also cover freemail impersonation, another important technique to be aware of.)

Display name impersonation

Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. The display name is not part of the email address itself: it’s the name affiliated with the account that usually appears before the email address in inboxes.

Impersonating a display name is extremely easy, and works especially well on mobile devices, where the actual email address used to send the email is unlikely to be visible. The image below shows an impersonation of an example CEO, Thomas Edison. Anyone can change their display name to Thomas Edison and send a potentially convincing email on mobile devices with nothing looking amiss:

On mobile, sender display names are visible, while domains usually are not.

Domain impersonation

Domain impersonation attacks involve attackers spoofing or impersonating an organization’s domain in order to appear legitimate. Attackers can produce convincing impersonations of a genuine CEO email address in three ways. Root domain impersonations change aspects of the company’s domain – an example might be te55ian.com. Top-level domain impersonations involve changes being made to the .com or .co.uk parts of a domain: an attacker might exploit an unregistered or less common domain like .io or .work. Additionally, attackers can add company-branded subdomains to a completely separate and abstract domain (eg company.email-outbound.com).

Just because a company owns the more popular .com or .co.uk top-level domains does not mean they own every variation on those domains. CEO fraud attacks can exploit any inconsistencies in security infrastructure, leveraging online properties unclaimed by the organization in question in order to create a compelling spear phishing email.

An example of a spoofed email "from" Thomas Edison of the National Phonograph Company. Here, the authentic .com domain has been changed to .co.

Freemail impersonation

Freemail impersonation describes spear phishing attacks where criminals use the fake personal email address of a senior-level executive. An attacker impersonating the CEO of a company – let’s use Thomas Edison again – could register an email address on Google and send an email from [email protected] to an employee working in the finance department, for example, requesting an urgent transaction. Here’s an example of this in practice:

Impersonations come in many shapes and sizes. CEO fraud attacks can rely on any one of these techniques to exploit the trust of employees, with potentially devastating consequences for enterprises. But why do employees click on these spear phishing emails in the first place? Social engineering has a lot to do with it.

CEO fraud and social engineering

Of all types of BEC attack, CEO fraud might be the type that relies most on social engineering.

Social engineering describes the techniques attackers use to persuade people to take a dangerous action. Attackers may rely on the seniority of the person they are impersonating, or the illusion of urgency being created, to prompt a lower-ranking employee to take a desired action. Often, attackers will build trust with a target by communicating “normally” for periods of time, using entirely innocuous language: this heightens the effect of coercive language when an attack is finally launched.

There are a range of social engineering levers attackers can pull to affect their target and coerce them into sending assets like money or data outside the organization:

Seniority

It might sound obvious, but emphasizing the nature of a CEO or senior executive’s work can be an effective tactic in coercing an employee into action. Emails that ask for work to be done ahead of a board meeting, or which appear to be critical to the success and/or health of a business, underscore their importance and encourage people to act swiftly (perhaps without thinking carefully).

Trust

While most early spear phishing attacks contained malicious links or attachments, a growing proportion of attacks now contain no payload at all. This has the advantage of being harder for traditional security tools to detect, but sending innocent, non-fraudulent emails also helps to build a rapport with the target. A history of “regular” email communication raises the chances of the target taking the bait when the key, malicious email is sent.

Urgency

If there isn’t much time to act on a given request, targets may not think as critically about the motivations behind that request. By centering the message on time sensitivity, attackers hope that they will force targets to think instinctively (not rationally), particularly if the message comes from a trusted senior colleague. Let’s return to an example we used earlier, this time focusing on the content of the email rather than the display name. It concerns a supplier payment that’s due “tomorrow”, making the request appear to be a high priority:

How to defend against CEO fraud

Part of the challenge for IT and security professionals is the sheer number of options in the cybersecurity marketplace that promise to help combat advanced impersonation attacks.

The rising number of data breaches every year is testament to the fact that legacy security tools are not able to defend against sophisticated email impersonations. Traditionally, security products have depended on extensive lists of rules to operate. Although rule-based software has been able to defend organizations against predictable, unsophisticated spam and “bulk” phishing attacks, more agile and sophisticated techniques have rendered Secure Email Gateways (SEGs) and other rule-based software programs ineffective. When criminals are changing their angles of attack all the time, legacy tech just can’t keep up.

Organizations frequently extol the benefits of training and awareness in combating sophisticated spear phishing attacks. However, placing the onus on employees to defend against cyberattackers detracts from the reason they were brought into the business in the first place – to be empowered to do their own specialized work. Too many organizations still rely on unintuitive training sessions that don’t focus on real-world issues the firms in question are facing every day.

Instead of placing all their chips on training, organizations must invest in understanding the patterns that betray CEO fraud and other impersonations.

Spear phishing emails have certain key components that, when analyzed together, can help detect the attack that’s taking place.

  • Target: Spear phishing attacks are invariably directed at specific employees or groups of people. Criminals don’t have to search long and hard to identify good targets. There is an abundance of valuable data online, from Linkedin career updates to employee details on company websites.
  • Intent: In both the email subject line and body copy, the attacker will use deliberate language to establish context and intent. They want the recipient to do something now. In sophisticated attacks, fraudsters will initiate normal conversations but not mention any requests. With this approach, they invest time in developing a legitimate dialogue and establishing trust with the target over multiple emails. As a result, any subsequent requests﹘like a wire transfer﹘will appear authentic and usually get the target to complete the desired action.
  • Impersonation: At the heart of every spear phishing attack is impersonation. The attacker is pretending to be a person or entity that the target knows and trusts.
  • Payload: Spear phishing emails may contain some form of payload (a malicious attachment or link) to engage the target. Advanced impersonation tactics are discreet; they usually rely on text alone to elicit a desired action. For example, “please wire payment to this account: 123-4567” or “Can you please buy 10 Apple gift cards for our clients and send me the voucher codes as reference ASAP?” By omitting conspicuous payloads, these advanced threats (aka zero payload attacks) can more easily slip through standard email defenses.

Here’s a view of these components laid over a potentially suspicious email:

Attackers can be incredibly subtle in crafting their messages, and it is unreasonable to expect busy employees to identify potentially threatening aspects of an email straight away. That’s where Tessian Defender, our security software built to detect advanced impersonation spear phishing, comes in.

It’s a given that email security software needs to analyze email headers, IP addresses and other information that’s normally hidden from the end user. But to prevent CEO fraud and other spear phishing attacks, software must also be able to analyze natural language and compare the message in question to as much historical comparison data as possible. Even the content employees can see – perhaps particularly the content employees can see – is designed to trigger a dangerous action on the part of the target.

Using 12 months of archival email data to establish what “normal” looks like, Tessian understands how different people inside and outside a given organization communicate with each other on email. Analyzing behaviors and communication patterns, Tessian can identify whether the content of each new email appears suspicious.

If an email to an employee is deemed a potential risk to security, Tessian generates a notification which sits above the message itself in the employee’s email client and explains what could be amiss. With all the salient information on hand, the employee can choose whether to reply to the message or to change their course of action and flag the threat.

With Tessian’s technology keeping email safe, employees can get on with their work without the pressure of feeling like they are the first line of defense against cyber threats. Security leaders, meanwhile, can be sure that employees are dealing with fraudulent emails in an appropriate way. Technology that stops threats and educates workforces: is this the route to eradicating the threat of CEO fraud?

CEO fraud: in summary

Security practitioners need to be extremely mindful of the risk of CEO fraud and other BEC scams. Impersonation-based cybercrime continues to extract billions of dollars from organizations each year. Attackers are constantly evolving their methodologies and showing that legacy email security software is increasingly outdated.

The way to take on the threat of CEO fraud is to look at the fundamental technique at the heart of any such attack: someone with bad intentions impersonating a senior leader on email. Software that understands the email relationships between different stakeholders, and that is built to look for this kind of impersonation, is vital for any organization looking to minimize harm from data loss, financial penalties and reputational damage.

Learn more about Tessian Defender on a call with a Tessian security expert here.