Near-flawless Social Engineering attack spoiled by single flaw

Steve Ragan at CSO has a great story about a CEO Fraud social engineering attack that was caught just in time because the employees were given effective security awareness training. This is a great read and please share this with your co-workers and colleagues.

"A reader recently shared an email that was sent to their comptroller, which by all accounts was a near-perfect social engineering attempt. However, awareness training, combined with full executive support to question any suspect request, prevented what could've been a massive financial hit to the organization. The email, which was addressed to the comptroller from an account that (at a glance) belongs to the CEO, is itself similar to prior communications she had gotten from him.

The email mirrors the organization's Outlook template, uses the CEO's image, even the clip and tone of the message itself looks normal. There are spelling errors, and formatting issues, but again these are expected in quick communications and rather common during day-to-day operations. The message sent to the comptroller, complete with errors, is as follows:

It almost worked. The comptroller was set to comply with instructions, but there was something off about the email; a little thing really – but it stood out. It was signed using the CEO's full name. The CEO never uses his real name, always the shortened version of it – i.e. Dick instead of Richard.

Awareness training is a constant within the reader's organization. No matter what, employees are encouraged to report anything and everything if they have even the slightest bit of doubt.

As such, anyone within the organization is allowed to ignore an executive's request and report it to the security team for verification. In this case, because the organization has ties to a number of critical markets and industries, a scam such as this could be disastrous.

Because the name was different, the comptroller felt the request should be verified and flagged. It was the right call. For the record, this wasn't a training email. It was a real attack, and it was nearly successful. The only thing that prevented it was awareness and encouragement.

The attack presented here happened within the last 30-days. It's possible other firms working in and around the financial industry have gotten similar messages, so the reader felt that sounding the alarm and sharing this incident with the public was worthwhile."

Hat Tip to the people at Salted Hash!  Additional Note: Salted Hash is happy to signal boost and help spread awareness on Phishing, Social Engineering, or other targeted attacks similar to this one. Feel free to contact Steve Ragan or any other editorial staff member on CSO for assistance.]


Related Pages: Social Engineering

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews