In the large family of attacks based on social engineering, those designated by the terms “president scam” and more generally “business email compromise” (BEC) are clearly on the rise. This “activity sector”, which consists of using an impostor by email in order to divert funds or obtain data, cost businesses 2.7 billion dollars in 2022 and may even reach as high as 3.3 billion dollars by 20228.With such an economic weight, it is difficult to affirm that your company will never be concerned by this type of attack. It is therefore important to know what these types of attacks consists of, which are often sophisticated, in order to prevent them and protect your business and its employees.
Understanding the President Scam
The principle of these attacks by email is based on the attacker pretending to be someone else, to form a bond of trust with the victim, and getting the employee to perform an operation (ex. a wire transfer) outside the usual procedures. Using this technique, there are as many variations as can be imagined by the online attackers.
1. The various types of attacks
The term, “President Scam” is a bit limited, and it’s important to remember that all levels of the company are concerned. Here are some of the most common methods of attack:
The classic President Scam
An official-looking email is sent to an employee, telling them to make a bank transfer, and making them believe that the demand is urgent and comes from a senior manager of the company (or even the CEO). It is because of the apparent urgency that it bypasses the usual procedures. This type of social engineering puts pressure on the employee in order to get them to comply.
The fake provider invoice
In this case, a third party manages to identify a working relationship between two people: a provider and their customer within the company. They then send an invoice to the company, pretending to be the provider, though having the payment be made to their own bank account instead.
Here too, pressure is made on the employee, by insisting on the the urgency of the transfer, but also its confidential nature. The targeted employee is therefore coerced to execute the transfer without the input of their colleagues or direct managers, and is told that if they don’t make the transfer as requested that the company will be in a lot of trouble.
So far we have mentioned some methods that a malevolent third party can use to receive funds, however the object of the attack can be of a totally different nature. Such an impersonation can be used to obtain sensitive information or more simply names and email addresses that could be used for an even more sophisticated President Scam.
2. Sophisticated attacks
The President Scam (or any other form of BEC attack) is based on an essential element: a trusting bond between the scammer and the employee(s) who are the target of the attack. There is therefore preliminary work done on the part of the scammer to eliminate any suspicion.
- Choosing an ideal target: ideally a large company with a lot of divisions. It would be much more complicated to undertake a President Scam on a SME where the “President” works in daily contact with their employees and even makes most of the payments themself. The number of attacks increases with the size of the company, though it is mainly companies with between 500 and 1500 employees that are the most frequently confronted by this type of fraudulent email. Larger companies are attacked even more, but less intensively when you look at it in relation to the total number of email mailboxes.
- Gathering information: names, email addresses, the role of influential people in the company, as well as the style of communication; much of this information can be obtained publicly, notably via social networks.
- Putting in place an impersonation: the email must seem to have been sent from a manager or a specific correspondent, and so the attacker needs to have first pirated an email address (through phishing, for example) or using an official-looking address (notably via typosquatting).
- Once the bond of trust has been established, the employee is pressured by the urgent and/or confidential nature of the operation, and is asked to perform the operation in question.
- The funds (if this was the objective) are then rapidly transferred abroad in order to limit their ability to be traced.
As we can see, the technical dimension of this type of attack is rather small. The main element in the President Scam is psychological, where the targeted employee must choose between following procedures or obeying (who they believe to be) their superiors. Does the employee feel empowered enough to remind who they think is their superior what the procedures are? It is easy enough to understand why prevention is important to prevent this type of attack, though that is not enough. It is the “human nature” aspect of the targeted agents that authorizes exceptions to the rule and becomes a vulnerability. It is therefore important to also have technical, intractable, systems in place to prevent this type of social engineering from being successful.
1. Identify a President Scam or a BEC attack
The confidence that this type of attack depends on is often related to the fact that very few people even suspect the existence of this type of attack. The first step in prevention is therefore to communicate internally the existence of this type of menace and to encourage every employee to be very weary of every request that is out of the ordinary. Here are some elements that should raise a red flag:
- Urgency that is not self-evident,
- Payment destinations that are changed at the last minute
- Communication only by email, and never by telephone or visually,
- Payments demanded in advance, which was not previously the case.
Generally speaking, an exceptional situation that calls for unusual measures must cause the employee to take extra caution such as double-checking the address of the sender and comparing it with the address of the reply, as well as verifying any links present in the mail, etc.
Even though precautionary measures must be taken whenever an email is received that is out of the ordinary, it is also imperative that technical measures be put in place to prevent these attacks.
2. Prevent identity theft
The common denominator for all BEC attacks is the presence of an impostor of the sender of an email (spoofing). This manner of identify theft may be done via various means: by obtaining the login codes of the person, or by masking the real origin of an email by betting on the inattention of the recipient. To drastically reduce these attacks, tools should be deployed that are capable of blocking these types of practices.
Stolen logins (via phishing for example) are an incredibly easy way for an attacker to cause incredible harm to a company. Encourage the users of your system to opt for sufficiently strong passwords. Multi-factor authentication remains, however, the best way to prevent this type of attack. If the email address of the sender it authentic, and we know that the sender had to use multi-factor authentication to log in, it is all the more probably that the email is authentic.
Anti-spam protection for mailboxes
This tool is useful for more than preventing a President Scam, because good anti-spam protection can neutralize most of the phishing attempts that a professional email mailbox can receive. Emails hosted at Gandi provide this optional service for example.
Efficient mailbox configuration
You may, for example, create a rule that allows reserving a particular treatment of incoming messages that you judge as being suspicious. One way to do this is to create a filtering system based on SIEVE. You can then execute a script upon the reception of an email that will perform a set action such as looking at whether or not the sender is in a specific list, or if the sender address is different from the reply-to address, or, as we will see in a bit, if the domain is suspected as being part of a typosquatting attack.
You can also make use of the domain’s DNS records:
- The DomainKeys Identified Mail (DKIM) protocol uses a private cryptographic key generated by your email server to sign each outgoing message. The recipient can then automatically verify this signature with the help of a public key that is shared in the sender domain name’s DNS records. This signature also permits certifying that the content of the mail (body and attached files) have not been modified between the sending and reception.
- Another protocol that uses DNS records: Sender Policy Framework (SPF), a TXT record that contains the IP Addresses allowed to send messages from the domain name.
- Finally, the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol allows indicating how the messages that were flagged in the previous filtering process (ex. rejection, quarantine, or nothing) via the DNS records.
It is also strongly recommended that you deactivate unused message protocols (POP, IMAP, SMTP) that might permit someone to get around the requirements of multi-factor authentication.
The other means used for these impostor emails is that of typosquatting. In this case the sender’s address is very close to one that might be found in the company. It may look precisely like the one used by the CEO, for example, but be on a slightly different domain name. With a monitoring service like the one proposed by Gandi, your company could be informed upon the registration of a domain similar to your brand’s, which would let you take preventative actions, such as forbidding emails from this domain to be received by your company’s mail server, and thus, the employees.
Conclusion: Everyone should be aware of President Scams
Your company is susceptible, starting from a certain size, of being the target of this type of attack. It is therefore in your interest to take preventative measures by educating your employees as to this type of attack, as well as making use of the various tools that are available to prevent phishing, spoofing, and typosquatting. While President Scams may cost businesses a total of 3.3 billion dollars in 2028, you don’t need to be a victim, by just taking some of the measures noted above as prevention.Tagged in phishingSecurity