Connect with us

Hi, what are you looking for?



Phishing Attacks Hit the C-Suite With High Value Scams

Any information security professional knows that spear-phishing is effective. Cloudmark calls it “The Secret Weapon Behind the Worst Cyber Attacks”, and lists 10 recent major breaches, from Target to OPM, that started with a successful spear-phish.

Any information security professional knows that spear-phishing is effective. Cloudmark calls it “The Secret Weapon Behind the Worst Cyber Attacks”, and lists 10 recent major breaches, from Target to OPM, that started with a successful spear-phish.

Recent months have seen a rise in a spear-phish derivative, which we could describe as the CEO fraud phish. Like spear-phishing it uses social engineering to trick CEOs or other senior executives into doing something they should not.

Two examples of CEO frauds come with the recent W-2 spear-phishing scams, and what the FBI calls the Business E-Mail Scam (BEC). For the former, Cloudmark’s Tom Landesman has compiled a list of 55 companies that were taken in by the W-2 attacks, and comments, “It’s likely that even more have been compromised, but have not come forward.”

The W-2 attack forges an email from the CEO to HR or Finance saying, for example, “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.” When the recipient responds with the ‘Reply’ option, the attachments are sent to the attacker.

By its nature, this attack is concentrated in the months preceding the country’s tax season. It has tailed off in the US, but will be back next year.

The BEC fraud uses a similarly forged email, apparently from the CEO or other senior executive, but this time instructing that money be transferred abroad. 

One recently publicized example involves a Mattel finance officer sending over $3 million to the Bank of Wenzhou, in China. In January the BBC warned that the “fraude au president” is widespread across France. 

Advertisement. Scroll to continue reading.

In an alert issued this month, the FBI quantified the success of this scam: more than 17,000 victims and $2.3 billion dollars lost between October 2003 and February 2016. There has been a 270% increase in the last year alone.

The FBI advises people instructed to send money out of the company should “Pick up the phone and verify legitimate business partners;” that is, insist on some form of out-of-band verification.

Nevertheless, CEO frauds are even more successful than spear-phishing. There are probably two major reasons: firstly, few companies deliver security awareness training (such as simulated phishing attacks) against their own C-suite; and secondly, many senior executives still don’t believe that security is their personal concern.

The problem for companies is that it is difficult to automate the detection of spear-phishing based on social engineering. Standard phishing can be handled by a combination of IP reputation lists such as that from Spamhaus, and bad domain lists such as that from SURBL – but reputation lists are less effective against individually crafted, well-written targeted attacks.

Nevertheless, algorithms are being developed that will scan emails and make a judgment on whether it is likely to be spear-phishing. Mounil Patel, Vice President, Strategic Field Engagement at Mimecast, describes Impersonation Protect: it “is designed to stop whaling attacks by identifying combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment. It uses new algorithms to measure and compare a range of identifiers, such as specific keywords within the email, to provide a probability score that a target email is either safe or malicious.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...