CEO / CFO Email Wire Fraud Attempt

Over the last 9 months we have seen 3 attempts to pull off the "CEO / CFO Wire Fraud Scam" on some of our clients.  The troubling thing is these are common clients but served from three different email systems. All had the same scary resemblance to the spoofed executive and in each case the writing style was "spot on."  There was literally no difference and I am not speaking figuratively.  (wait for it,,,, :-)

Question?  What steps do you as email admin take to protect your system(s), domains, or clients from this threat?

Does anyone know how they get so much detail on the executive's?  Like, where do they get the exact signature from the CEO?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
This is where google or other search engines are your enemy membership in sites like linkedin or other publically available documentation
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
As a high-level executive, your CEO/CFO type of person will have plenty of signatures on public documents (including incorporation forms, or registration forms for the company). This is why so many documents require a Notary's Seal to confirm the signature.

The real issue is that either
 a) your email is not validating the sender (that is, your company email should be originating ONLY from your company email servers. (lookup SPF and perhaps even DKIM).
     NOTE: If the messages DID come from your own servers, then you have a hacked account issue as well
 b) your clients are overly susceptible to "human hacking" -- that is, they're not immediately suspicious of odd requests or emailed requests that wouldn't normally be in email.

These are at least places to start... without more details on how you were susceptible, there isn't much more I can say.

taiswebAuthor Commented:
Thank you both for your response.  I have since discovered the SPF record in DNS was actually removed (a miscommunication regarding an impending email server change).  SO SPF DKIM DMARC are all configured according to recommendations and is processing and reporting on the domain.

I guess I should have made clear, the "signature" I was referring to is the file in Outlook not a handwritten - bottom line on a document type.  I would still love to discover how they (he / she / it) got it.
On a previous email wire fraud attempt, the crook didn't try to recreate the bosses signature line.  It was just signed with his first name.  Rather than:


CEO's name here
Company address here
Company phone here
Company slogan here
Link to politically correct statement regarding the environment here.

and it was all correct.  That leads me to believe someone's email account has been compromised so a general order for everyone to change passwords has been sent.  I initially thought it was the CEO's email account, but since he travels extensively and internationally. The various IP addresses used in the last 45 days all seem to follow his itinerary.

Any other thoughts?
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
The IP addresses that are scanned are the server-to-server (SMTP) communications. Your CEO should be connecting to your email server on another port (465 or 587) to submit messages (the canonical name for port 587 is "submission").

Just today, on another thread, I was remarking that the SMTP port (25) should not accept authenticated messages (at all!) because it creates an "opening" for DOS & brute-force/dictionary attacks that will affect server performance. ALL user submitted messages should be coming in through ports 587, 465, or some other agreed-upon port (I don't like it, but it's legitimate to use a non-standard port -- 26 is popular -- for submission). (As an aside, this also solves the issue where many ISPs won't allow outbound traffic on port (to port) 25 on dynamically assigned IP addresses -- Verizon being one of those ISPs -- which can result in "roaming users" not being able to send emails if they're sending to port 25).

I hope this helps...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.