Fake Identity Fraud: Protection through Awareness
by Götz Schartner, CEO, 8com
In the last few months, two types of social engineering attacks have been causing concern among executives of global corporations, banks and government agencies. Criminals posing as CEOs, presidents and contractors have managed to persuade employees to transfer funds to their bank accounts, leading to damages of around EUR3m in the first half of 2016 in Germany alone. How can companies protect themselves against social engineers out for their money? 8com’s experience has shown that information security awareness is the key.
After news broke in August of 2016 that Leoni AG, one of the world’s leading wire and cable manufacturers, had been swindled out of EUR40m by a social engineer using nothing but email, the company’s stock dropped almost 7%. How could this have happened? A two-week investigation by law enforcement and the company itself revealed that a young woman working in the finance department of Leoni’s factory in Bistrita, Romania, received an email, seemingly from senior German executives. She believed the email to be a genuine request for a transfer EUR40m out of the company’s bank account. According to unconfirmed reports, the money was switched into accounts in the Czech Republic.
This case of CEO fraud, also known as fake president fraud, reveals the problems and challenges facing companies when it comes to social engineering attacks. Unlike conventional hacking attacks, criminals don’t rely upon malicious software to infect computer networks. This makes conventional protection, like firewalls and antivirus software, ineffective. The social engineer’s target is the human operating system. In order to develop strategies to deal with fake identity fraud, one must take a closer look at the methods used by social engineers.
At the heart of every social engineering attack lies the exploitation of positive human properties, like kindness and trust, to bypass the human firewall. Employees are tricked into doing what the attackers ask of them by conscious and subconscious manipulation. To set up a successful play, as the main phase of an attack is called, they engage the target and provide pretext for interaction. In the case of CEO fraud, social engineers count on the willingness of people to comply when a request comes from a figure of authority.
Let’s look at how a case of CEO fraud could take place. An employee in the financial department of a company receives a phone call from a man introducing himself as a lawyer and is asked about an important transfer of funds, allegedly on behalf of the CEO. The employee informs the caller that he is unaware of any transfers and decides not to take any further action for the time being. Later, he gets an email, supposedly written by the CEO himself. It informs the employee that funds needed for the strategic acquisition of a company have to be transferred and that he was specifically chosen for the task, based on his past performances and discretion. Further information would be given to him by the lawyer. Over the following days, the employee’s correspondence with the lawyer and the CEO intensifies. He is told not to talk to anyone about the matter, signs an NDA and finally receives the bank account information he needs to transfer the sum of several million euros. After the transfer, the communication suddenly ends. The employee doesn’t get any more emails or phone calls from either of the involved parties.
At this moment, it might dawn on him that he was tricked, that he wasn’t actually corresponding with the CEO, or even a real lawyer. In a panic, he decides to ignore the NDA and talks to his supervisors. The money, meanwhile, has already been withdrawn by the attackers.
As we can see, an attack like this doesn’t require sophisticated technological savvy, but a deep understanding of the human psyche. Every successful social engineer does a great amount of research before starting an attack. He might even create a psychological profile of the target based on freely accessible information on websites and in social networks. Nothing is left to chance. In some cases, employees might become sceptical and deny payment. Others are easily duped. After all, who wouldn’t comply with the request of the head of a company, especially if he or she was ‘the chosen one’?
While CEO fraud serves as an example for a relatively complex form of fake identity fraud, payment diversion scams are a lot simpler, but just as efficient. Criminals do not pose as heads of companies, but as contractors awaiting payment by the target company. They send emails to the responsible employees, letting them know that there is a new bank account to which all future payments have to be transferred. The money, of course, goes right into the criminals’ pockets. This mode of attack is less sophisticated than CEO fraud and the profits are lower, but the interaction is impersonal and doesn’t require any knowledge of human psychology and behaviour.