Link to home
Start Free TrialLog in
Avatar of taisweb
taisweb

asked on

CEO / CFO Email Wire Fraud Attempt

Over the last 9 months we have seen 3 attempts to pull off the "CEO / CFO Wire Fraud Scam" on some of our clients.  The troubling thing is these are common clients but served from three different email systems. All had the same scary resemblance to the spoofed executive and in each case the writing style was "spot on."  There was literally no difference and I am not speaking figuratively.  (wait for it,,,, :-)

Question?  What steps do you as email admin take to protect your system(s), domains, or clients from this threat?

Does anyone know how they get so much detail on the executive's?  Like, where do they get the exact signature from the CEO?

Help???
SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Daniel McAllister
Daniel McAllister
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of taisweb
taisweb

ASKER

Thank you both for your response.  I have since discovered the SPF record in DNS was actually removed (a miscommunication regarding an impending email server change).  SO SPF DKIM DMARC are all configured according to unlocktheinbox.com recommendations and demarcian.com is processing and reporting on the domain.

I guess I should have made clear, the "signature" I was referring to is the file in Outlook not a handwritten - bottom line on a document type.  I would still love to discover how they (he / she / it) got it.
On a previous email wire fraud attempt, the crook didn't try to recreate the bosses signature line.  It was just signed with his first name.  Rather than:

Regards,

CEO's name here
Company address here
Company phone here
Company slogan here
Link to politically correct statement regarding the environment here.

and it was all correct.  That leads me to believe someone's email account has been compromised so a general order for everyone to change passwords has been sent.  I initially thought it was the CEO's email account, but since he travels extensively and internationally. The various IP addresses used in the last 45 days all seem to follow his itinerary.

Any other thoughts?
ASKER CERTIFIED SOLUTION
Avatar of Daniel McAllister
Daniel McAllister
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial