Pearl Software Blog

Internet Monitoring and Web Filtering Topics

CEO Spoofed – Loses Company $47 Million then Fired.

An FACC employee wired 50 million euros after receiving emailed instructions from someone posing as FACC’s CEO.  This forced the company to report a financial loss to investors which would have otherwise shown net positive earnings.  FACC, whose customers include Airbus (EPA: AIR), Boeing (NYSE: BA) and Dassault (AM:EN), fired its CEO after he "severely violated his duties".  The company’s CFO was also terminated.
 
The scam is known as the “Fake President” fraud.  By using a fake email address that resembles that of the President’s, the scammer convinces an employee, usually working in the finance department, to make an bank wire transfer to a third party on the grounds of a debt to pay, a provision in contract or a purchase deposit.  The order is given with authority and urgency. The scammer has usually done enough research on the target company to give them the necessary arguments to convince the victim to act in accordance with the request.

Part of the scammer’s tactic is to register a domain similar to the target domain. For example, if a scammer is targeting a user at mycompany.com, the scammer may register the domain mycompony.com. The target may then receive an email sent to them at user@mycompany.com from CEO@mycompony.com. When the recipient replies to the email, the scammer relies on the victim not noticing the slight difference in the domain and thus trusting the sender.

To avoid these scams it’s important to both educate employees as well as to monitor email transactions for suspicious activity.  Employees should verify the legitimacy of significant requests by calling the requester using the contact information stored on file and not the information given in the emailed instructions.  Employees should be vigilant to any urgent or confidential request not adhering to standard working procedures.  Monitoring tools like Pearl Echo should be set to audit email for key phrases like ‘wire instructions’ and use wildcards to look for and flag domain variants.

Comments are closed