Safer to Respond to or Simply Ignore an Email from the CEO?

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Closing the loop on corporate account takeover or business email fraud

Let’s say you work in Corporate Finance/Accounting and you get an email from your CEO with a directive to execute a wire payment. The email has all the hallmarks of your CEO’s email – corporate logo, signature block, and proper email address. It looks like every other email you receive from your CEO. Nothing looks amiss or raises doubts. What do you do?

To date, standard operation procedures allow for email requests from the CEO seeking payment for company-related expenses to serve as the ‘call to action’ and authorization to execute the payment – by wire transfer. On the other hand, maybe this is the first email request. In either case, as an ever-diligent employee do you feel obliged to follow the instructions or the standard procedures? Without requesting confirmation, you initiate the wire transfer. The payment goes out and it is never to be returned UNLESS you immediately reverse the transfer by calling the receiving bank and leverage connections to freeze it. If you are lucky and stop the transfer, the receiving bank returns the wire in a few days.

Can this happen? The answer according to Joseph Loomis, CTO of CyberSponse, is “yes, more frequently than people may realize. I, personally, have talked with companies that were recently targeted. Some fell victim while others had checks and balances in place that prevented such fraud to occur.”

Let’s take a deeper look at what is known as ‘corporate account takeover’ or ‘business email fraud.’

Cybercriminals, ever on the hunt to find new ways to defraud individuals and corporations, have found ways to exploit publicly available information and weaknesses in corporate email systems. Corporate account takeovers is a type of business identity theft where cybercriminals gain control of or access to a company’s finances to make unauthorized transactions – transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information. They may steal employee passwords and other valid credentials to gain access to bank accounts. The criminals initiate fraudulent wire transfers to accounts managed by themselves.

The scams are evolving to now include business email fraud, where criminals gain access to corporate email accounts or systems. Once a business email account is compromised, cybercriminals hijack or spoof senior executive email accounts. In little time, the criminals compose and send emails with directives for wire transfer payments that often go to banks – not only to international banks, but also request transfers to US based banks with US business mailing addresses.

The frequency of this type of payment fraud is on the rise.

The United States Computer Emergency Readiness Team (US-CERT) issued a Fraud Alert related to business email compromise (BEC). “The Financial Service Information Sharing and Analysis Center (FS-ISAC) and federal law enforcement agencies released a joint alert warning companies of a sophisticated wire payment scam” where cybercriminals “use fraudulent information to trick companies into directing financial transactions into accounts scammers control.”

While most of the incidents involve the compromise of email accounts belonging to CEOs and CFOs, other incidents, known as ‘vendor fraud’ involves compromising vendor/supplier email accounts and efforts to a change of the bank and account number associated with that vendor/supplier to redirect future payments.

How do cybercriminals execute these phishing schemes?[1]

  • Compromise legitimate business email accounts through social engineering or malware
  • Conduct reconnaissance to review the business’s legitimate e-mail communications and travel schedules
  • Capture auto-forwarded e-mails received by the victim to an e-mail account under their control
  • Send wire transfer instructions using either the victim’s e-mail or a spoofed e-mail account that is controlled by the cybercriminal (the spoofed e-mail account is subtle and often easily mistaken for the legitimate business e-mail address)
  • To avoid detection, they may create rules to send all communications associated with their actions to the victim’s trash or a hidden folder
  • Often the email scams – noted as relating to urgent or confidential matters – occur when the CEO or CFO is on official travel, which makes it more likely that the individual would use email for official business


For information on how to manage Risk Mitigation and undertake Incident Reporting refer to


For information on social engineering and phishing attacks – what they are, how to avoid being a victim, and what to do if you become a victim – refer to the US-CERT “Security Tip (ST04-014): Avoiding Social Engineering and Phishing Attacks,”


“Best Practices for Banks: Reducing the Risks of Corporate Account Takeovers,” developed by the Texas Bankers Electronic Crimes Task Force, supported by Conference of State Bank Supervisors (CSBS), Financial Services – Information Sharing and Analysis Center (FS-ISAC), United States Secret Service (US Secret Service) and Texas Department of Banking

Wall Street Journal, “Hackers Trick Email Systems into Wiring them Large Sums,”

[1] “Fraud Alert – Business E-mail Compromise Continues to Swindle and Defraud U.S. Businesses,” developed jointly between the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the United States Secret Service,


[1] “Fraud Alert – Business E-mail Compromise Continues to Swindle and Defraud U.S. Businesses,” developed jointly between the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the United States Secret Service,


The post Safer to Respond to or Simply Ignore an Email from the CEO? appeared first on Cybersponse.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberSponse, Inc.
CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, Cybersponse enables organizations to secure their security operations teams and environments.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?