Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Big Bad BEC

    CEOFraud-1A Chinese venture capital firm was scammed out of $1 million in a noteworthy BEC (Business Email Compromise, or CEO fraud) scam, CyberScoop reports. The million dollars was supposed to be seed funding for an Israeli startup the venture capital firm was investing in. The VC firm didn’t realize what had happened until the startup called them on the phone to say it hadn’t received the money.

    Cybersecurity company Check Point, which the Israeli startup hired to investigate the matter, found that this wasn’t a typical business email compromise attack. The scammers did compromise an email account at one of the companies, but they didn’t use this account to carry out the scam. Rather, once they saw an email discussing the upcoming investment, they registered two domains that closely imitated the domains used by the two companies.

    Then, they sent two emails—one to each company—from these spoofed domains. The Israeli startup received an email from the domain spoofing the Chinese VC firm, while the VC firm received an email from the domain imitating the Israeli startup. These emails contained the same content as the real thread discussing the investment. Both companies failed to notice that the domains were off by one letter, and they continued communicating without realizing that all their emails were being sent to the attacker-controlled domains.

    The attackers would receive each email, edit it if necessary, and then forward it on to its intended destination. This technique gave the attackers complete control over both sides of the conversation. They even cancelled an in-person meeting between the Israeli CEO and an employee at the VC firm by coming up with excuses for why both sides had to cancel.

    This was an exceptionally crafty scam, and most people probably wouldn’t believe an attacker would be able to pull it off. New-school security awareness training can teach your employees to never underestimate scammers, and to always verify the legitimacy of a conversation before taking action.

    CyberScoop has the story: https://www.cyberscoop.com/bec-venture-heist-check-point-technologies/

     

    Return To KnowBe4 Security Blog

    Can hackers spoof an email address of your own domain?

    DSTAre you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

    Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

    Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.

    Try To Spoof Me!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/domain-spoof-test/

    Topics: CEO Fraud

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews