Spoofing emails: The trickery costing businesses billions

The email came in like any other, from the company chief executive to his finance officer.

“Hey, the deal is done. Please wire $8m to this account to finalise the acquisition ASAP. Needs to be done before the end of the day. Thanks.”

The employee thought nothing of it and sent the funds over, ticking it off his list of jobs before heading home. But alarm bells started to ring when the company that was being acquired called to ask why it had not received the money. An investigation began – $8m was most definitely sent, but where to?

We will never know.

Some of the money was clawed back by the banks, but most was lost to hackers who may have cashed out using an elaborate money-laundering network or simply moved on to the next victim. Meanwhile, the finance officer is left feeling terrible and the company is left scratching its head. After all, the email had come ostensibly from the boss’s address and his account had not been hacked.

It was left to cyber-security experts to break the bad news to the firm: emails are not to be trusted.

CEO Fraud

This is a real-life example of a cyber-attack known as Business Email Compromise, or CEO Fraud. The attacks are relatively low-tech and rely more on social engineering and trickery than traditional hacking.

Cyber-criminals simply spoof the email address of a company executive and send a convincing request to an unsuspecting employee. The message looks just as though it has come from the boss – but it has been sent by an imposter.

Continue reading here.