OK, Heads-up! Here is the deal. The FBI and the Internet Crime Complaint Center (IC3) two days ago warned about a new version of a man-in-the-middle scam that targets your CEO, CTO, CFO, and/or Controller. I would send these people a link to this blog post immediately. Better safe than sorry.
The FBI calls it the "Business E-Mail Compromise" (BEC), and this is the scam: Your C-level exec receives a business email from an existing, well-known vendor who request a wire transfer to a specific bank account. The email looks legit, it comes from a known, trusted business associate, and is about a recent delivery or transaction.
And the whole thing is bogus. The bad guys have penetrated your network and have been monitoring and studying what went on for considerable time, because they can accurately identify the individuals and protocols to perform wire transfers within your specific business environment. The last 14 months there were 1198 victims in the U.S with a total loss of 180 million dollars. The wire transfers get rapidly forwarded and usually wind up at banks in Hong Kong so you are dealing with the Chinese cyber mafia here.
The FBI said: "Victims may also first receive “phishing” e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc.) Some victims reported being a victim of various scareware or ransomware cyber intrusions, immediately preceding a BEC scam request."
It looks to be fairly obvious what goes on. Initial phishing emails and/or ransomware attacks drop keyloggers and trojans on the workstation of an employee. With these credentials they tunnel into the network and put keyloggers on C-level exec workstations. After studying the traffic, the bad guys craft an email that is carefully spoofed to look as legit as possible. There are a few different versions of this scam which the IC3.gov site specifies, link in Point 3.
What you can do about it:
- Alert your execs. These scams are getting more sophisticated by the month and be on the lookout.
- Grab this Social Engineering Red Flags PDF, print and laminate it, and give it to your C-level execs. (free)
- Read the IC3 Alert in full, and apply their Suggestions For Protection.
Obviously all your employees need to be stepped through effective security awareness training to prevent social engineering attacks like this from getting through. Find out how affordable this is for your organization today.