CEO to CFO phishing scams are on the rise. Here’s one we caught in the act.

Author: Valimail

Don’t get caught like this fish. Photo: Lunar Wrasse via photopin.

There has been a lot of coverage in the media recently about spear phishing and the ‘CEO to CFO’ scam, and for good reason. Phishing attacks have been distressingly common for some time, and they appear to be getting worse. For a sampler, just check out security expert Brian Krebs’ many stories of executives being duped by fake emails.

These attacks rely on the scammers using your exact domain to create fake email messages that look like they originate from within your company. They can often get away with this because many email systems don’t verify whether the sender is actually authorized to use that domain or not.

DMARC, when in enforcement mode, stops this cold.

Just recently Valimail saw an example of a spear phishing email sent to one of our customers. The CFO found it in her spam folder. As you can see below, the language is a bit stilted, so she probably could have identified it as a suspicious message if she was reading carefully. But it is easy to be fooled in the rush of daily activities. And anyway, do you want your CFO worrying about the authenticity of every email? Or do you want her focusing on the company’s finances?

Ditto for people in HR: The IRS recently warned payroll and HR departments to be alert for W2 scams, where the CEO appears to be sending a request for employees’ W2 tax forms, which the attackers then use in a variety of ways, such as filing fraudulent tax returns. But why should HR people be spending their time trying to establish the authenticity of emails they receive?

For our customer, there was never any question of being fooled, since DMARC caused it to go to the spam folder. But the fact that the CFO could see it at all (by looking through her spam folder) was enough to make the security team move to p=reject, which means that future messages that fail authentication like this will be deleted outright. (Note: for more on DMARC configuration and p=reject, see our DMARC FAQ.) There is now no chance at all that this company will be caught out by attackers spoofing their domains.

Happy Authenticating!

— — — — — Forwarded message — — — — —
From: John Smith < ceo@company.com>
To: < cfo@company.com>
Cc:
Date: Wed, 2 Mar 2016 08:25:03 -0800
Subject: Att: John
John

Kindly confirm how soon you can initiate an urgent bank transfer today, let me know when you can so that i can send the beneficiary’s details.
Regards,
—

Jane Doe

— — — — — Forwarded message — — — — —
From: John Smith < ceo@company.com>
To: < cfo@company.com>
Cc:
Date: Wed, 2 Mar 2016 08:12:37 -0800
Subject: Att: John

John

Confirm the receipt of this message if you are on seat , i want you to
process a payment before cut off time today.

Regards,
—
Jane Doe

Back to blog

Published March 18, 2016

Author: Valimail

Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world's largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.

CEO to CFO phishing scams are on the rise. Here’s one we caught in the act.

Resources

Latest news

Press releases