Cybercrime from CEO Fraud

The good news is we just landed a large, successful customer. The bad news is they were a victim of a cybersecurity breach. This one was fairly simple and fairly common. It’s called the “Bogus Boss” email scam. The FBI also calls it “CEO Fraud”

According to their website, the scam starts like this:


CFO Cyber Fraud

 A typical CEO fraud attack. Image: Phishme

CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “” the thieves might register “” (substituting the letter “L” for the numeral 1) or “,” and send messages from that domain.

Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes rarely set off spam traps because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests, and travel and/or purchasing plans.

They do this by scraping employee email addresses and other information from the target’s Web site to help make the missives more convincing. In the case where executives or employees have their inboxes compromised by the thieves, the crooks will scour the victim’s email correspondence for certain words that might reveal whether the company routinely deals with wire transfers — searching for messages with keywords like “invoice,” “deposit” and “president. Information source:

After the criminals do the original investigation detailed above they will compose an email that looks to be from the CEO (or COO, CFO) to someone in accounts payable as in the example above. Again in the example, if Samuel Hahn replies to his boss’s email, remember it’s a criminal impostor of his boss, then the hook is set. Being there are no hypertext links in the emails they get through spam filters.

The follow-up email would contain target bank account information for the EFT. Typically money to these accounts is swept out quickly to another account or series of accounts. This prevents the victim from reversing the transaction.

Twinstate Technologies® has worked forensically on this type of fraud for amounts approaching $500,000 although there have been very many for much larger amounts. Cybercrimes are the largest crimes worldwide, far outpacing illegal drugs and illegal arms trades. And this is one of the largest cybercrimes out there.

Prevention begins with user training. Most businesses’ train their employees to be on the lookout for suspicious emails and to not click on hypertext links unless they are from a known user. As stated above, these fraud emails don’t have links. They also usually are configured to look as if they come from a known company inside or outside the target company, this means the users need to look very closely.

Email header info shows the irregularities but most non-technical people don’t know what to look for or where to look. In Outlook you would open the email, click File, click Info, then click Properties. The “Internet Headers” section is where you would investigate the validity of the email.

Users are the weak link in the whole prevention process. Think of target in the FBI example above, Samuel Haun. Could Sam be a new employee or an employee that is overworked and rushing to get things done? Could he also be someone that is too timid to question his boss? This is the human element that needs to be trained and reinforced so that they need to, and are empowered to question these emails.

The better way, and it removes the human element, is to prevent the email from even reaching your employees. We use a product that has Targeted Threat Protection and has an Impersonation Protect feature. This allows us to program a cyber barrier around your organization with even more specific barriers that may differ depending on the department the email is addressed to.

This product looks for malware-less (bad hypertext links, infected files, etc.) social engineering attacks such as CFO fraud, whaling, business email compromise/impersonation, and W-2 Fraud. It is a constantly learning platform that looks for newly observed domains used in attacks, among a host of other flags.

Installation, programming, and real-time updates are the key to any cybersecurity application. As an example, we recently took over another customer that had a state of the art perimeter protection device. This was installed by another company and the settings were basically “any to any”. This means any traffic in is allowed as well as any traffic out. Zero protection! On top of this, they programmed no web filtering parameters. What this boils down to is the customer bought a great device yet the supposed cybersecurity company that installed it failed both the customer and the product. That customer was poised for a breach and they would have probably blamed the “ABC Firewall” instead of the cybersecurity company.

In closing keep cybersecurity on your to-do list, and review your setup at least quarterly. This is a constantly evolving threat so countermeasures need to be constantly evolving as well.

Clark Currier

V.P. Operations

Twinstate Technologies®.