首席执行官Fraud_v3

CEO Fraud

首席执行官欺诈,也被称为商业邮件妥协,是一种 260亿美元的骗局 据联邦调查局称. Find out how you can prevent this type of attack and what to do if you become a victim.

得到手册

什么是CEO欺诈?

CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, 或者发送机密的税务信息.

The FBI calls this type of scam "Business Email Compromise" and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through 社会工程 or computer intrusion techniques to conduct unauthorized transfers of funds.”

根据联邦调查局的统计, CEO诈骗现在是一个260亿美元的骗局. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses. 这一骗局在全美50个州和150个国家都有报道. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 来自大约140个国家的银行.


四种攻击方式

Understanding the different attack vectors for this type of crime is key when it comes to prevention. 坏人是这样做的: 

1. Phishing

Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, 信用卡提供商, 快递公司, 执法, 和美国国税局是几种常见的. A phishing campaign typically shoots out emails to huge numbers of users. 大部分都是写给不使用那家银行的人, 例如, 但绝对是数量上的优势, 这些邮件会到达一定比例的潜在候选人.

2. 鱼叉式网络钓鱼

这是一种更为集中的网络钓鱼形式. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. A 鱼叉式网络钓鱼 email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client.

3. 执行官捕鲸

Here, 坏人的目标是高管和行政人员, typically to siphon off money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.

4. 社会工程

在安全上下文中, 社会工程 means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of 社会工程 might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.

黑客能欺骗你自己域名的电子邮件地址吗?

你知道其中一个吗 first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" 鱼叉式网络钓鱼 attack on your organization, 这种攻击是很难防御的, 除非您的用户接受过高度的“安全意识”培训.

看看你是否会被欺骗. 现在为您的免费域名欺骗测试注册! 

emailexposure-1

注册你的免费域名欺骗测试

CEO Fraud

5常见攻击场景

  1. 与国外供应商合作: This scam takes advantage of a long-standing wire-transfer relationship with a supplier, 但要求把钱转到另一个账户. 
  2. 接收或发起电汇请求的业务: 通过妥协 和/或欺骗 高管的电子邮件账户, 另一名员工收到一条消息,要求将资金转移到某处, or a financial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address. 
  3. 收到欺诈信件的业务联系人: By taking over an employee’s email account and sending invoices out to company suppliers, 钱被转入虚假账户. 
  4. 冒充高管和律师: The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters. 
  5. 数据盗窃: Fraudulent emails request either all wage or tax statement (W-2) forms or a company list of personally identifiable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, 会计或审计部门.

首席执行官欺诈的目标

首席执行官并不总是罪犯的目标. There are four other groups of employees considered valuable targets given their roles and access to funds/information:

Finance

The finance department is especially vulnerable in companies that regularly engage in large wire transfers. 经常, sloppy internal policies only demand an email from the CEO or other senior person to initiate the transfer. Cybercriminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. 它们反映了通常的电汇授权协议, hijack a relevant email account and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorized to transfer funds.

HR

Human 资源 represents a wonderfully open highway into the modern enterprise. 毕竟, 它可以接触到组织里的每一个人, 管理员工数据库,负责招聘工作. As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering activities. 此外,W2和PII诈骗已经变得更加普遍. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email addresses to criminal 组织.

管理团队

Every member of the executive team can be considered a high-value target. 许多人拥有某种金融权力. 如果他们的电子邮件账户被黑, it generally provides cybercriminals access to all kinds of confidential information, 更别提可能正在进行的交易的情报了. Thus executive accounts must receive particular attention from a security perspective.

IT

拥有访问控制权限的IT经理和IT人员, 密码管理和电子邮件帐户是进一步的高价值目标. If their credentials can be hacked, they gain entry to every part of the organization.



DST

黑客可以 spoof 您自己的域名的电子邮件地址?

你知道其中一个吗 first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby. 今天就知道你的域名是否可以被欺骗. 

试着愚弄我!



董事会监督与受托责任

长期以来,病毒和恶意软件防御一直被视为纯粹的IT问题. Some 组织 do appoint Chief Information Security Officers (CISO), however information security is often viewed as a challenge that lies well below board or C-level attention.

The events of recent years have highlighted the danger of this viewpoint. With the FBI warning corporations that they are at risk and so many high-profile victims in the news, 组织, 由他们的CEO领导, 必须将网络风险管理融入日常运营中吗.

另外, companies must take reasonable measures to prevent cyber-incidents and mitigate the impact of inevitable breaches. The concept of acting “reasonably” is used in many state and federal laws in the United States, 澳大利亚, 和其他国家. 指责IT人员或员工并不是什么辩护. CEOs are responsible to restore normal operations after a data breach and ensure that company assets and the company's reputation are protected. 如果不这样做,就有可能诉诸法律.

Let’s put it in these terms: a cyber breach could potentially cause the loss of a bid on a large contract, 会损害知识产权(IP)和收入损失吗, 这只是其中的一些影响. That places cybersecurity firmly at the top of the organizational chart, 类似于所有其他形式的公司风险.

引人注目的情况下

 

2015年1月

Xoom -互联网转账服务,旧金山,CA

LOST:

  $30.800万年

恢复:

  $0

RESULT:

 首席财务官辞职


2015年8月

Ubiquiti网络 ——硅谷计算机网络公司

LOST:

  $46.7 million

恢复:

  $15.000万年

RESULT:

Unknown

2016年1月

FACC AG -奥地利航空航天公司

LOST:

  $50.000万年

恢复:

  $10.9 million

RESULT:

首席执行官和首席财务官被解雇


2016年4月

未知的美国公司

LOST:

  $100.000万年

恢复:

  $74.000万年

RESULT:

Scam surfaced when the US government filed a lawsuit to recover $25 million


2016年4月

Schletter集团 -全球制造商,北美分部

LOST:

  200名员工的W-2信息

恢复:

  Nothing

RESULT:

员工们提起了集体诉讼, the court allowed the employees to seek treble damages from Schletter. 此后Schletter申请破产.



2016年4月

Mattel -玩具制造公司,埃尔塞贡多,CA

LOST:

  $3.000万年

恢复:

  $3.000万年

RESULT:

Luckily they caught the scam right away and were able to recover all of their money


May 2016

Crelan银行 - Belgium

LOST:

  $70.000万年

恢复:

  $0

RESULT:

 首席执行官声称他们仍然可行,并在盈利


May 2016

城堡投资集团 ——特洛伊,小姐

LOST:

  $495,000

恢复:

  $0

RESULT:

 这一错误在8天之后才被发现,那时钱早已不见了


2016年8月

Leoni AG -电缆制造商,德国

LOST:

  $44.000万年

恢复:

  $0

RESULT:

 Unknown


2016年9月

SS&C科技控股有限公司 -金融服务软件公司Windsor, CT

LOST:

  $5.9 million

恢复:

  Unknown

RESULT:

The CEO was ousted and the company is now facing a $1000万年 lawsuit by Tillage Commodities Fund, 亏了钱的公司


2016年11月

德克萨斯州埃尔帕索市

LOST:

  $3.1 million

恢复:

  $1.9 million

RESULT:

 Unknown

2017年1月

塞奇威克县,堪萨斯州

LOST:

  $566,000

恢复:

  Unknown

RESULT:

 Unknown


2017年1月

怀俄明州坎贝尔县卫生院

LOST:

  1457员工社会安全号码

恢复:

  Nothing

RESULT:

 Unknown


2017年3月

Facebook和谷歌

LOST:

  1亿美元

恢复:

  “大部分”

RESULT:

 Unknown


2017年4月

拯救儿童基金会

LOST:

  $997,400

恢复:

  $885,784

RESULT:

 The scam was undiscovered for a month, so cybercriminals got away with all the money. 这些资金是通过该组织的保险公司收回的.


June 2017

南俄勒冈大学

LOST:

  $1.9 mil

恢复:

  0

RESULT:

 Unknown


2017年7月

Gorbel -美国制造公司

LOST:

  $82,000

恢复:

  None

RESULT:

 Unknown


2017年9月

加拿大埃德蒙顿麦克尤恩大学

LOST:

  $1.8 mil

恢复:

  Unknown

RESULT:

 Unknown


2017年9月

日本航空公司

LOST:

  $3.39 mil

恢复:

  0

RESULT:

 Unknown

2017年12月

奥尼尔,布拉格 & Staffin ——宾夕法尼亚律师事务所

LOST:

  $580,000

恢复:

  None

RESULT:

 输掉了对美国银行的诉讼, 声称银行应为未停止交易负责. 该公司现已永久关闭.

July 2018

新墨西哥州阿拉莫戈多市

LOST:

  $250,000

恢复:

  None

RESULT:

 Unknown


2018年9月

芬兰投资公司

LOST:

  300万美元的欧元

恢复:

  300万美元的欧元

RESULT:

 Unknown


2018年10月

湖岭学校 ——印第安纳州莱克县

LOST:

  $120,000

恢复:

  None

RESULT:

 Unknown


2018年11月

Pathé -法国连锁影院,电影制作和发行公司

LOST:

  2100万美元

恢复:

  Unknown

RESULT:

 董事总经理和首席财务官被解雇

"People are used to having a technology solution [but] 社会工程 bypasses all technologies, 包括防火墙. 技术是关键,但世界十大电子游戏平台必须关注人和流程. 社会工程是一种使用影响力战术的黑客行为.”——凯文·米特尼克

随需应变的网络研讨会:最新的商业邮件泄露骗局不要成为下一个受害者

坏人越来越有创造力了, impersonating an executive in your organization and asking for financial reports or they ask employees in payroll to make changes to bank accounts. 根据联邦调查局的说法, their efforts have earned them an estimated $12 billion through Business Email Compromise also known as CEO fraud scams. Defending against these types of phishing attacks is possible by layering technical and non-technical controls. 

看现在!

Webinars22-1

技术vs人类防火墙

减少风险的努力大多集中在技术方面. However, these technology safeguards must be supported by what is known as the human firewall. Regardless of how well the defense perimeter is designed the bad guys will always find a way in. 他们知道员工是任何IT系统中最薄弱的环节. Thus, cybercriminals continue to rely on phishing and other tricks from the 社会工程 playbook. The following is a MINIMUM of what to have in place to protect yourself:

技术

  • Antivirus
  • 防病毒
  • 入侵检测/保护
  • 防火墙
  • 电子邮件过滤器
  • 双因素身份验证
  • 武器级备份

人类的防火墙

  • 员工是任何IT部门的薄弱环节
  • 员工需要定期接受网络威胁方面的教育
  • 每个用户都需要能够从一英里外发现钓鱼邮件
  • 定期用钓鱼邮件测试用户,让他们保持警惕
  • 新学校十大电子游戏平台 管理人工防火墙问题的方法是什么

八个预防措施

Many steps must dovetail closely together as part of an effective prevention program:

这些人包括c级主管、人力资源、会计和IT人员. 在这些领域加强控制和保障措施,包括: 

  • 查看社会/公众档案中工作职责/描述, 层次信息, 办公室外的细节, 或任何其他敏感的公司数据
  • Identify any publicly available email addresses and lists of connections
  • 电子邮件过滤
  • 双因素身份验证
  • 自动执行密码和用户ID策略
  • 全面的访问和密码管理
  • 外部流量白名单或黑名单
  • 修补/更新所有的IT和安全系统
  • 管理所有员工的访问权限
  • 审查现有的技术控制,并采取行动填补任何空白

每个组织都应该设置安全策略, 定期检查是否有漏洞, 发布它, 并确保员工遵守规定. 它应该包括以下内容:

  • 不打开附件或点击来自未知来源的链接
  • 在办公电脑上不使用USB驱动器
  • 密码管理策略(不重用密码), 屏幕上没有便利贴提醒密码, etc.)
  • 对所有员工进行安全培训
  • 检讨WiFi接入政策. Include contractors and partners as part of this if they need wireless access when on site.

有一个固定的电汇策略: It should never be possible for a cybercriminal to hijack a corporate email account and convince someone to transfer a large sum immediately. 政策应将此类交易限制在相对较小的金额内. 超过这个阈值的任何东西都必须需要进一步的授权.

机密信息: 当涉及到IP或员工记录时, policy should determine a chain of approval before such information is released.

资讯科技应采取适当措施:

  • 封锁已知传播勒索软件的网站
  • 保持软件补丁和病毒特征文件为最新版本
  • Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines
  • Conduct regular penetration tests on WiFi and other networks to see just how easy it is to gain entry
  • 域恶搞保护
  • Create intrusion detection system rules that flag emails with extensions that are similar to company emails

推荐的公司程序包括:

  • 让员工学习并执行安全政策 
  • Establish how executive leadership is to be informed about cyber-threats and their resolution;
  • Establish a schedule for the testing of the cyber-incident response plan
  • Register as many as possible company domains that are slightly different than the actual company domain
  • Develop a comprehensive cyber incident response plan and test it regularly. 根据结果增加计划.
  • Executive leadership must be well informed about the current level of risk and its potential business impact.
  • Management must know the volume of cyber incidents detected each week and of what type.
  • Understand what information you need to protect: identify the corporate “crown jewels,"如何保护它,谁有权限.
  • Policy should be established as to thresholds and types of incident that require reporting to management
  • Cyber-risk MUST be added to existing risk management and governance processes.
  • Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
  • Consider obtaining comprehensive cyber security insurance that covers various types of data breaches.

*Note: Normally human error like CEO fraud is NOT covered by cyber security insurance.

No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger so start here:

  • 对用户进行网络和电子邮件安全的基础培训
  • Train users on how to identify and deal with phishing attacks with new-school security awareness training
  • Implement a reporting system for suspected phishing emails such as the 网络钓鱼警报按钮
  • 继续定期进行安全培训,把它放在心上
  • 经常欺骗你的用户以保持警惕

The best training programs baseline click rates on phishing emails and harness user education to bring that number down. 但不要期待0%的点击率. 良好的员工教育可以显著降低网络钓鱼的成功率, 但总有人不注意, 那天赶时间吗, 或者只是被一个非常聪明的网络罪犯耍了.

  • Run an initial phishing simulation campaign to establish a baseline percentage of which users are phish-prone.
  • Continue simulated phishing attacks at least once a month, but twice is better.
  • 一旦用户了解到他们将会定期进行测试, 重复的失败是会有后果的, 行为变化. They develop a less trusting attitude and get much better at spotting a scam email.
  • Randomize email content and times they are sent to different employees. 当他们都得到同样的东西, 一名员工发现了它,从隔间里探出头来警告其他员工. 

Security awareness training should include teaching people to watch out for red flags. 以下是最常见的需要注意的事情:

  • 笨拙的词语和拼写错误
  • Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
  • Spoofed email addresses and URLs that are very close to actual corporate addresses, 但只有细微的不同
  • 突发紧急事件或时间敏感问题
  • 比如“编码管理费用”," "紧急电汇,” “urgent invoice payment” and “new account information” are often used, 据联邦调查局称

你的用户是否知道 when to NOT click?

Did you know that 91% of successful data breaches started with a 鱼叉式网络钓鱼 attack? Find out what percentage of your employees are Phish-prone™ with your free phishing security test. 找出你的员工中有多少比例的人是网络钓鱼的常客.

Why? 如果你不亲自动手,坏人会动手的. Take the first step now to significantly improve your organization’s defenses against cybercrime.

获得免费的网络钓鱼安全测试

网络钓鱼安全测试

受害者应对的十个步骤

Should an incident take place, there are immediate steps you need to take:

  • 通知他们有关的电汇
  • Give them full details of the amount, the account destination and any other pertinent details
  • 询问是否有可能召回调动

与他们的网络安全部门交流: 向他们简要说明这件事,并请他们介入. They can contact their counterparts in the foreign bank to have them prevent the funds from being withdrawn or transferred elsewhere.

Inform them off all the facts related to the incident as soon as possible

In the U.S.当地的联邦调查局办公室是开始的地方. 美国联邦调查局正在与美国联邦调查局合作.S. Department of Treasury Financial Crimes Enforcement Network may be able to return or freeze the funds. 联系执法部门时, 确认你的事件为“BEC”, 提供事件的简要描述, 并考虑提供以下财务信息:

  • 原始的名字
  • 原始位置
  • 创始银行名称
  • 开户行帐号
  • 收件人的名字
  • 接收方银行名称
  • 收件人银行账号
  • 接收银行地址(如有)
  • 中间银行名称(如有)
  • 斯威夫特数量
  • Date
  • 大量的事务
  • Additional Information (if available) - including “FFC”- For Further Credit; “FAV” – In Favor Of:

请访问联邦调查局网络犯罪投诉中心(IC3) www.IC3.gov 提交投诉. Victims should always file a complaint regardless of dollar loss or timing of incident and in addition to the financial information above, 提供以下:

  • 欺骗性电子邮件的IP和/或电子邮件地址
  • 事故发生的日期和时间
  • 格式不正确的发票或信笺
  • 要求保密或立即采取行动
  • Unusual timing, requests, or wording of the fraudulent phone calls or emails
  • 诈骗电话的电话号码
  • Description of any phone contact to include frequency and timing of calls
  • 来电者的外国口音
  • 措词糟糕或语法错误的邮件
  • 之前任何邮件钓鱼活动的报告

Call an emergency meeting to brief the board and senior management on the incident, 已采取的步骤和将采取的进一步行动.

IT部门有没有调查过这个漏洞以找到攻击载体. 如果一位高管的电子邮件被黑了, take immediate action to recover control of that account such as changing the password.

但不要就此止步, the likelihood is that the organization has been further infiltrated and other accounts have been compromised. Have them run the gamut of detection technologies to find any and all malware that may be lurking to strike again.

If the organization was breached, it highlights deficiencies in existing technology safeguards. 事实将证明,IT部门很难发现这些问题. So bring in outside help to detect any area of intrusion that IT may have missed.

The goal is to eliminate any and all malware that may be buried in existing systems. 坏人在里面. The organization isn’t safe until the attack vector is isolated and all traces of the attack have been eradicated. 这可不是件容易的事.

确保你的网络安全保险涵盖CEO欺诈: 不到4%的欺诈性转移资金被追回, so it's a good idea to make sure you have the proper insurance in place. 而许多组织已经采取了网络保险, 并不是所有的案件都涉及CEO欺诈. 这是保险业的一个灰色地带,许多人拒绝赔付. 尽管存在特定的网络保险政策, 不幸的是,没有硬件或软件被黑. 被黑的是人.

金融工具和电子邮件欺诈的区别: Insurance companies distinguish between these two and that's where gray areas come in. Financial instruments can be defined as monetary contracts between parties such as cash (currency), 一个实体的所有权权益(股份)证明, 或合同规定的接受或交付现金(债券)的权利. However, CEO fraud is often categorized as being purely an email fraud and not a financial instrument fraud. 换句话说, it is being regarded in many cases as a matter of internal negligence or email impersonation as opposed to being a financial instrument matter.

That said, there are dozens of carriers in the market providing up to $30000万年 in limits. Coverage extensions have developed to include both the third-party liability and first-party cost and expenses associated with a data breach or cyber-attack.

For such an incident to happen, violations of existing policy are likely to be in evidence. Conduct an internal investigation to cover such violations as well as to eliminate any possibility of any collusion with the criminals. 采取适当的纪律处分.

When the immediate consequences of the attack have been addressed and full data has been gathered about the attack, draw up a plan that encompasses adding technology and staff training to prevent the same kind of incident from repeating. 一定要加强员工意识培训,这是其中至关重要的一部分.

首席执行官防欺诈手册

下载完整的CEO欺诈预防手册

CEO欺诈造成了超过30亿美元的损失. 不要成为下一个受害者. This manual provides a thorough overview of how executives are compromised, 如何防止此类袭击,以及如果你成为受害者怎么办.

点击这里下载手册

新闻中的CEO欺诈


商业邮件泄露攻击导致数百万非营利组织损失

A business email compromise attack at Illinois’s Office of the Special Deputy Receiver led to a loss of $6.据《十大电子游戏平台》的雷·朗报道. Long describes the Office as “a nonprofit that works with the director of the Illinois Departme...

Business Email Compromise-as-a-Service Emerges as Attempted Fraud Soars to as High as $6 Million

BEC骗子的目标是获得数百万美元的报酬, and are following the path of their ransomware counterparts by evolving services while 组织 struggle to keep up.

Ex-Bank of America Employee Charged with Business Email Compromise Money Laundering

A three-person team – including a personal banker at Bank of America – have been indicted for reportedly being behind a BEC scam that took 5 companies for over $1.100万年.


了解社会工程的最新情况

订阅CyberheistNews

友情链接: 1 2 3 4 5 6 7 8 9 10