“Good morning, Jim. Are you at your desk? I need you to do something for me.”
It begins with a quick morning email from a manager or CEO, which lowers the target’s guard. There are no suspicious attachments or links to raise alarm bells. This can even fool those who are otherwise adept at spotting a phish. If they respond, the scammer then asks for some kind of financial transaction to occur. (e.g. a wire transfer, gift card purchase, or direct deposit change)
Impersonation scams like this are continually on the rise. They are disturbingly easy to execute and can lead to dramatic payouts for the scammer. They also frequently pass through mail filters because they simply contain conversational text from previously unseen addresses. Also referred to as “whaling” or “spear phishing”, attacks like this cost organizations billions of dollars every year.
Standard email authentication schemes such as SPF, DKIM, and DMARC, which operate on the sender’s address, cannot protect against this since the scammer often does not spoof the address. They only need to spoof the executive’s name in order to achieve their goal. In fact, the message will frequently pass SPF, DKIM, and DMARC checks, since it may originate from a large ESP such as Gmail, Yahoo and Outlook.com. For example:
From: “Judy Smith” <email@example.com>
Subject: Quick question
Hey, are you in the office today? I’ve got a favor to ask you.
The scammer is hoping for one of two things:
1. The target only sees the sender’s name, and assumes it is reliable.
2. The target sees the unusual email address, but assumes it was sent from the executive’s personal account, cell phone, tablet, etc. (The scammer may even include “Sent from my iPhone” at the bottom of the message to aid in this misdirection)
CEO Fraud Protection by Securence guards the executive’s name, displayed as the sender, and is the key to the scam. If an email claims to be from a protected name in Securence, but the email address does not match, then Securence will take action. Standard actions include: block, quarantine, notify an administrator, or deliver the message after modifying it to include a warning.
Login to your account today to setup this critical feature. It is available under the Phish settings for your Domain, Group, and Company accounts. There you will also find further documentation, including best practices for configuration and tips on avoiding false positives during and after rollout.
As always, we welcome your feedback. Reach out to us at firstname.lastname@example.org with any questions or concerns.