The FBI estimates email spoof scams have cost organizations more than $2.3 billion in losses over the past three years.

Leoni AG, a German firm that is one of the world’s largest manufacturers of wires and electrical cables, recently announced that it lost nearly $45 million as a result of an email spoof scam. According to investigators, thieves spoofed emails so they would appear as official payment requests.

The email spoof took place on August 12 and the firm announced the incident on August 16. In the wake of this announcement, the firm’s shares fell between five and seven percent.

In the wake of Leoni announcing that it lost $45 million to an email spoof, the firm’s shares fell between five and seven percent.

Leoni CFO was the Target of Email Spoof

While the incident occurred a couple of weeks ago, new details are just now beginning to emerge and shed light on how a theft of this magnitude took place.

Authorities reported that a CFO at Leoni’s Bistrita factory in Romaina received an email spoof that appeared to have been sent from one of the organization’s top German executives. According to Softpedia, the thieves scouted Leoni in advance to determine the most effective method of attack:

“Investigators say the email was crafted in such a way to take into account Leoni’s internal procedures for approving and transferring funds. This detail shows that attackers scouted the firm in advance.

The Bistrita factory was not chosen at random either. Leoni has four factories in Romania, and the Bistrita branch is the only one authorized to make money transfers.”

It is still unknown who is behind the attack but, according according to Adevărul, it is possible the stolen funds were sent to an account in the Czech Republic.

The crooks behind CEO fraud take time to truly understand the target of the attack. This can be done by scraping employee email addresses or gathering additional information from a target organization’s website in order to make any email spoof appear more convincing.

What is CEO Fraud?

An email spoof attack can take a number of forms, one of which is CEO fraud, as in the case of Leoni where the organization’s CFO was the victim. Essentially, an executive is tricked into thinking a reputable source is requesting company data. W-2 requests and fraudulent wire transfers are a couple of favorite targets.

CEO fraud typically begins with a thief phishing or gaining access to an executive’s inbox by emailing an executive from a look-alike domain name that is similar to a target organization’s true name. For example, if an organization has the domain name “mice-360.com” the thieves might use the domain “mice-36O.com” – simply replacing the number “0” with the capital letter “O”

In addition, the crooks behind CEO fraud take time to truly understand the target of the attack. This can be done by scraping employee email addresses or gathering additional information from a target organization’s website in order to make any spoof email appear more convincing. As a bonus, targeting one individual vs. blanketing an organization with mass-emails avoids setting off an organization’s spam traps.

While an email spoof attack might appear less sophisticated than other means of attack, that isn’t exactly the case. Email spoof attacks are often able to sidestep an organization’s basic security. In addition, the crooks end up tricking executives into doing the dirty work of interacting with accounts for them.

In fact, email spoof attacks have become so successful that the FBI recently issued a warning. According to an article posted in Krebs on Security:

The FBI estimates email spoof scams have cost organizations more than $2.3 billion in losses over the past three years. In addition the FBI reported that since January of 2015, they have seen 270 percent increase in indentified victims and exposed losses from CEO scams.

Research shows that trying to train employees to suspect any emails they receive from colleagues could have a negative impact on morale and productivity.

How can Email Spoof attacks be prevented?

Often organizations will look to training as the first line of defense against phishing or email spoof attacks. Unfortunately, research shows that trying to train employees to suspect any emails they receive from colleagues could have a negative impact on morale and productivity.

Zinaida Benson, from the University of Erlangen-Nuremberg in Germany presented the following research at the 2016 Black Hat Security Conference:

“Moreover, while sending employees fake spear phishing messages from spoofed colleagues and bosses may increase their security awareness, it is also quite likely to have negative consequences in an organization. People’s work effectiveness may decrease, as they will have to be suspicious of practically every message they receive. This may also seriously hamper social relationships within the organization, promoting the atmosphere of distrust. Thus, organizations need to carefully assess all pros and cons of increasing security awareness against spear phishing. In the long run, relying on technical in-depth defense may be a better solution, and more research and evidence is needed to determine the feasible level of defense that the non-expert users are able to achieve through security education and training.”

While employee training does not appear to offer the best protection, Phil Reitinger, CEO of the Global Cyber Alliance, told FedScoop that “raising user awareness has a variety of positive effects,” but also cautioned that is not a solution, except to the “low-hanging fruit” of commodity phishing — the easily detectable fake mail that appears to originate from FedEx or any other legitimate, well-known company and ultimately ends up in a user’s junk folder.

For a true solution, Reitinger told FedScoop “The right answer is defense in depth.” Reitinger discussed both DMARC and DNS Response Policy Zones as two options that are currently available to organizations looking to protect themselves from phishing or an email spoof attack.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a protocol organizations can utilize in order prevent spoofing of email addresses from their domain. DNS Response Policy Zones allow for the blocking of malicious URLs. This enables DNS server owners to incorporate the most recent threat intelligence about malicious domains into the software that runs their servers.

The Mice 360 security platform is another option for organizations looking to protect themselves against email spoof scams. The Mice 360 system works by scanning every email to confirm a digital signature and providing the recipient with a warning if the sender and email address are mismatched. This alert informs the recipient that the email is suspicious and should be treated accordingly.

To learn more about how Mice 360 can protect your organization against phishing or an email spoof attack, contact us today.

Leave a Reply