Mar 18, 2017

CEO to CFO phishing scams are on the rise. Here’s one we caught in the act

Using sender identity to stop phishing

There has been a lot of coverage in the media recently about spear phishing and the ‘CEO to CFO’ scam, and for good reason. Phishing attacks have been distressingly common for some time, and they appear to be getting worse. For a sampler, just check out security expert Brian Krebs’ many stories of executives being duped by fake emails.

These attacks rely on the scammers using your exact domain to create fake email messages that look like they originate from within your company. They can often get away with this because many email systems don’t verify whether the sender is actually authorized to use that domain or not.

DMARC, when in enforcement mode, stops this cold.

Just recently ValiMail saw an example of a spear phishing email sent to one of our customers. The CFO found it in her spam folder. As you can see below, the language is a bit stilted, so she probably could have identified it as a suspicious message if she was reading carefully. But it is easy to be fooled in the rush of daily activities. And anyway, do you want your CFO worrying about the authenticity of every email? Or do you want her focusing on the company’s finances?

Ditto for people in HR: The IRS recently warned payroll and HR departments to be alert for W2 scams, where the CEO appears to be sending a request for employees’ W2 tax forms, which the attackers then use in a variety of ways, such as filing fraudulent tax returns. But why should HR people be spending their time trying to establish the authenticity of emails they receive?

For our customer, there was never any question of being fooled, since DMARC caused it to go to the spam folder. But the fact that the CFO could see it at all (by looking through her spam folder) was enough to make the security team move to p=reject, which means that future messages that fail authentication like this will be deleted outright. (Note: for more on DMARC configuration and p=reject, see our DMARC FAQ.) There is now no chance at all that this company will be caught out by attackers spoofing their domains.

Happy Authenticating!

— — — — — Forwarded message — — — — —
From: John Smith <ceo@company.com>
To: <cfo@company.com>
Cc:
Date: Wed, 2 Mar 2016 08:25:03 -0800
Subject: Att: John
John

Kindly confirm how soon you can initiate an urgent bank transfer today, let me know when you can so that i can send the beneficiary’s details.
Regards,

Jane Doe
— — — — — Forwarded message — — — — —
From: John Smith <ceo@company.com>
To: <cfo@company.com>
Cc:
Date: Wed, 2 Mar 2016 08:12:37 -0800
Subject: Att: John
John
Confirm the receipt of this message if you are on seat , i want you to
process a payment before cut off time today.
Regards,

Jane Doe

Subscribe to our newsletter