NetWorks Group Blog

Do You Trust Your CEO’s Email?

Posted by Scot Armstrong on Mar 8, 2018 10:08:58 AM
Find me on:

If you received an email from your company CEO asking you to perform a task or pay a vendor, would you proceed without question or would you verify?  “It’s an email from the CEO, I have to do this” you might think.  You might be better off verifying that request if it involves money or confidential information.

For successful cyber criminals, there’s an easier way than hacking through firewalls.  They realize that is a hard outer shell and a difficult way to get in.  It’s much easier to fool users into divulging information or even sending cash that the “Fake CEO Email Scam” resulted in over $2 Billion in cost to corporate victims since 2013.  Here is how it works: A criminal will spoof the CEO’s email account and direct Accounts Payable to wire money to a specific bank account, stating it’s for a customer refund or payment to a new vendor.  Since the email is from the CEO and looks legit, AP wires the money. By the time the company realizes the mistake, the money is long gone. The average hit is $120,000.   

Another twist on this scam involves hackers mining confidential data.  In 2016, an employee of Snapchat was fooled into providing payroll information, including names and social security numbers of employees. Hackers sell this data or use it to commit identity theft for big profits.

Another surprise, hackers aren’t just going after big companies.  Small companies are firmly in the cross-hairs and are fast becoming favored targets.  The hackers have a game plan; they know and target easy prey.  They are not attacking their victim’s hard outer surface (firewalls, intrusion prevention, etc), they found an easier path.  The hackers are doing their homework and research, then attacking employees through legitimate-looking methods.

Since hackers have elevated their game, NetWorks Group has done the same to help our customers defend themselves.  NetWorks Group designed our Full Scope Pen Testing service to test systems utilizing the very same tactics, techniques and procedures used by hackers.  An early step of our Full Scope Penetration Testing involves gathering OSINT (Open Source Intelligence) to mimic this approach.  It’s much easier to fool users to gain a way in, compromise a system, pivot off the compromised system to attack another and repeat until access is gained to the crown jewels – Personal Health Information, Credit Card Numbers, Social Security info, proprietary company data, R&D, etc.   The criminals are tricky, users can be fooled, and your company is much better off having an ethical security company like NetWorks Group uncover your risks rather than being surprised by a criminal.  Reach out and ask me how our Full Scope Pen Testing can help you uncover and understand risks like the CEO Email Scam.

Topics: Penetration Testing, Ethical Hacking

Subscribe to our blog!