
The 'bogus boss' email scam costing firms millions - elthran
http://www.bbc.com/news/business-35250678
======
ndespres
I'm an IT consultant in NYC, and no fewer than 5 of my clients have been
targeted by such scams. Information on the structure of their company is
gathered from their website and an email will be fabricated appearing to be a
conversation between company president, controller, CFO, etc all with their
real names and email addresses, sent to a company accountant or something
requesting a wire transfer.

The final email will be sent from a very similar email domain: the scammers
register a domain with a simple letter/number substitution that is VERY
difficult to visually detect if you aren't looking. Many were registered with
VistaPrint, who offer free registration of domains on a trial plan, or
something. You can see a list of their recently-registered domains here
[http://vistaprinta.tk/](http://vistaprinta.tk/), if you scan through it
you'll see some misspellings and l/1 switcheroos. (I spoke with someone at
Vistaprint who indicated that they are actively working on this problem, and
they have taken quick action when requested).

When my clients ask me to take a technology approach on these matters, I
encourage them to treat it as a process issue instead. Having adequate
controls for issues like this (phone call required, second approver for large
wire transfers, etc) is better than any futile spam-blocking action we could
take.

~~~
DenisM
At Microsoft, when an email has an internal sender address it will not get
delivered unless that email did in fact come from an internal Exchange server.

In 1998 I was able to use SMTP to send an email "from Bill Gates" (only sent
it to myself for my own personal amusement), but the trick stopped working
later.

~~~
bostonpete
That doesn't seem like it would guard against an e-mail sent from "a very
similar email domain" like ndespres described.

~~~
DenisM
Yes, but I could always double-click on the mail address in Outlook and see
the internal address book entry _if the email is spelt correctly_.

When verification is easy, people do more of it.

~~~
Shog9
Which brings it back to being a process issue: if folks are diligent about
verifying (whether that's a phone call or clicking on a name), then this is
harder to pull off.

------
pdkl95
All this talk about email forgery... so why isn't all all of this email
authenticated with GPG? This type of authentication is a _solved problem_.

Yes, in the _general_ case PKI is a broken and web-of-trust is hard to
bootstrap, but protection against scams like this don't need to solve the
general case. Distributing keys internally isn't hard. Even _some_
communication external to the organization should be easily authenticated with
pubkey crypto - it's not more difficult than the business contracts everybody
already uses regularly.

Why is everybody trying to solve this with _email headers_ or _fallible human
judgment_?

~~~
eli
So do you sign your outgoing mail with GPG? IF not, why not?

~~~
Joeboy
I just stopped doing this, because the only tangible impact was people asking
why my emails had weird incomprehensible junk in them. Admittedly this usually
took the form of mild derision rather than outright hostility.

------
howeyc
Why don't firms flag all email from external domains as "EXTERNAL" (All
subjects are prefixed before being transferred to individual email boxes)?

We have that where I work, wouldn't that help? That way an email with the
CEO's email but with a slightly off email address would show external, where
every other email within the company has no such flag.

~~~
knodi123
First line of email body:

Argh! Sorry this got flagged as external. Stupid IT guys. Anyway, we're about
to close a major deal that will make us all rich, please wire blah blah blah.

~~~
Zikes
As with most other aspects of this scam, your suggestion would require a
certain lack of critical thinking on the accountant's part: how would the
sender know that IT had flagged their email as external before the email was
sent and flagged?

~~~
ubernostrum
_how would the sender know that IT had flagged their email as external before
the email was sent and flagged?_

The recipients who fall for it don't think about that. They think "oh crap,
the big boss needs this done". Critical thinking about and questioning of
decisions from higher up is strongly -- one might even say violently --
discouraged in many large organizations.

------
vermontdevil
Shouldn't companies have controls in set when large amount of money is being
requested for transfer? Controls that does not involve using email as final
approval.

~~~
cm2187
Emails are regularly used for approving large transactions. You can have
dedicated approval systems but they are often more of a problem than a
solution. When the approver is away you have complex and slow delegation
procedures when you are not completely stuck. When people are travelling they
can't approve anything while they can on a blackberry. And you need to email
people to chase them anyway. These systems are just adding to the corporate
bureaucracy.

Common sense should be the first line of defense. Even by email, managers
should not approve a transaction they know nothing about. And if one approves
somethings after having only talked to complete strangers, it's hard to fight
raw stupidity. The first think I would have done in this story is fire the
accountant.

~~~
manyxcxi
That's funny, my first thought was to fire the accountant as well. Then I
thought about it, who has more experience with these scammers than the
accountant that screwed up? I would wager they would never fall for it again
if they were any sort of reasonable human being- whereas a new accountant has
probably never even heard of this scam and you're vulnerable all over again.

What I would do, though, is get my lawyer involved to write up a new contract
that would make them liable for every last penny should this happen again.

~~~
throwaway7767
> What I would do, though, is get my lawyer involved to write up a new
> contract that would make them liable for every last penny should this happen
> again.

No accountant would work for you with that stipulation, the risk/reward
calculation doesn't make sense.

~~~
gambiting
Not true, my accountant has a contract where she is responsible for any
mistakes or miscalculated taxes etc so she has to pay them. She does have a
registered accountancy office though and insurance against this sort of thing
though so the risk for her is also minimal.

~~~
arethuza
That doesn't sound like an in-house accountant (i.e. an employee) but that you
are engaging an external accountant to work for you - completely different
commercial relationships.

~~~
DrJokepu
And they typically have liability insurance anyway. Your contract is not worth
the paper it's written on if the accountant is unlikely to be able to ever
repay the loss.

------
soared
If you've done any serious gaming, especially an MMORPG, you've seen this scam
a million times. Register an account with a name something like "Mod Steve" or
"Blizzzard Rep" and just private message every rich player you see. Claim to
be a service rep, say you need to verify their password for security or
whatever, and 5% of the time they'll give it to you.

I made a lot of free money on runescape doing this back in elementary school.
"Jagex Modz 1"

~~~
JoshTriplett
Leaving aside the infamous laws against "unauthorized access", if you pulled
that scam on any gaming platform that had a real-money market, that could
easily be interpreted as theft.

~~~
mschuster91
> Leaving aside the infamous laws against "unauthorized access"

Why should that be unauthorized? Unless it's written in the T&C that you must
not use a pseudonym which impersonates a company official, he had used the
system in a legitimate way and did not exploit bugs or bypassed access
controls.

~~~
mikecaputo
I believe he is referring to logging in as the other to transfer their goods
once they have mistakenly given you the password. That's the unauthorized
access, not naming yourself something that is similar to a moderators name.

~~~
JoshTriplett
Exactly. Phishing someone's password and not using it might be a T&C
violation, but shouldn't necessarily be illegal (you might, for instance, be
doing a study on user gullibility, or be part of a red team checking the
security policies of a partner or supplier). Actually _using_ that password,
on the other hand...

------
pbhjpbhj
In the OP wouldn't the accountant be liable. They performed the transaction
without verifying the authority of those requesting it.

OT:

>"Her firm, which which employs 50 people" //

Surely the BBC's story editing software has a spell-checker that looks for
errant word duplication?

~~~
david-given
You'd think that that would be easy to detect with no false positives.

~~~
laumars
While that is grammatically correct, I was always taught that you'd remove
superfluous words or refactor the sentence when writing formal English.

I'm certainly not the best writer (quite appalling actually), but the
following reads better while still carrying the same intent:

 _You 'd think that would be easy to detect with no false positives._

However I'd be interested to read any corrections if I'm wrong as I'm always
looking to improve my English writing skills.

~~~
grkvlt
No, the italics aren't helping... Although this probably says something about
how easy it is to fail to notice word-doubling errors?

~~~
laumars
I think you may have missed my point (or I have missed yours). I was saying
that same sentence works with both a single and double instance of the word
"that". The italics was only there to separate the quoted text from my
comment, rather than a typeface suggestion to the former poster.

------
FussyZeus
Is this really that shocking? Just seems like the natural evolution of
business scams, we still get the people trying to sell us warranties on our
company vehicles and trying to sell us toner for printers we barely use
(paperless office woo!).

You know the part that makes me laugh is if these people put their ingenuity
into doing something useful for society, they wouldn't need to be stealing
from everyone all the bloody time.

------
ommunist
If there is a culture of "follow my order or get fired" in your company --
prepare to be hit.

------
sschueller
Aren't there transfer limits requiring physical sign off by the CEO to prevent
these kind of things?

~~~
HillRat
A surprisingly large number of SMBs in my experience don't have capital
transfer controls, especially when the CEO is used to doing financial
transfers on the fly. I can think of half a dozen reasonably-sized businesses
I've worked with who would be vulnerable to this scam, even with their
internal accountants -- a fraudster could call them up, tell them that they
needed to draft some five-figure amount because the company got behind on its
401K matches or insurance, and the accountant would think, "Yeah, that sounds
about right." And these are the companies who can least afford to get scammed
-- they're low-margin companies moving funds around all the time because
they're scrambling to keep the balls in the air, so a good-sized fraudulent
transfer would cripple them.

I'm more surprised that the convicted fraudster is living in an Ashdod mansion
off the beach, and evidently the current Israeli government isn't interested
in repatriating him to France to serve his time. I mean, I know there's no
bilateral extradition treaty in place, but the son of a bitch _brags_ about
what he did -- he doesn't even pretend to deny it!

~~~
mattmanser
A lot of this is because the move from 10 to 50 employees can happen in 2
years, is incredibly hectic in itself, chain of command can be a bit confusing
and no-one even thinks something like this might happen.

And because the growth is organic rather than the artificial growth of a
massive VC cash injection, most companies don't know what they don't know.

------
bluedino
Our CFO received an email like this, it appeared to be from the owner of our
company. They even used owner.name@ourdomain.com as the 'from' address. We
don't use that naming scheme for email accounts, and it was actually using a
Yahoo address as the 'reply-to' address.

 _Subject: Transfer

Hi John,

Hope your day is going on well, I need you to process a Transfer payment
swiftly,let me know what details would be needed, to get it done as soon as
possible

Kind Regards,

Jane Doe_

Very weird, not sure if a bot puts these together or if there's human
involvement.

~~~
danbower
> Very weird, not sure if a bot puts these together or if there's human
> involvement.

It'd be easy enough to source a list of company names and owners of the
companies then generate possible domains and possible email addresses for the
owners but you ultimately need to know who should receive the email. This
probably involves a human digging around on LinkedIn. I have no idea what's it
like to scrape LinkedIn but presumably they make it difficult. The difference
between using the correct email address for the CFO but incorrect one for the
owner suggests it's a bit of both.

------
e40
My accountant got one of these. We called the bank that we were to transfer to
the funds to and talked to their fraud department. They wouldn't/couldn't do
much, but the account was clearly in control of the criminal. Too bad no one
cares, because they leave a trail and could easily be caught.

~~~
rwmurrayVT
Unfortunately, they absolutely can't do anything about it. There are an
endless number of scenarios in which an attempted reverse transfer could be
fraudulent. If you suffered a loss they want your bank to worry about it.

As for tracking them, it's not as simple as you probably believe. Opening a
business checking account or personal checking account anonymously is a lot
easier than you believe. Withdrawing 10-50k is also not as difficult as you
might believe. Moving hundreds of thousands to millions might be present an
issue. You might be able to get some money back if it's that high dollar, but
if you sent it to a shady country you're screwed.

------
DenisM
Ideally email addresses would just have different colors - internal email
green, external red (as verified domain spelling _and_ by SPF/DKIM).

That would also help immensely with accidental leaks of internal discussions,
which is something I have to constantly watch out for with gmail (google
apps).

~~~
scoot
Mail in iOS supports this (for spelling at least).

Settings > Mail > Mark Addresses

------
hyperpape
So it seems like this relies on sending email that purports to be from your
boss. Aside from the other problems with procedure (like, why don't you get
your boss on the phone?), isn't DKIM supposed to be a partial solution to
these kind of fraudulent emails?

------
rubberstamp
I can't believe 15000 firms have fallen into that trap. Shouldn't you first
verify who you are paying to. Accountant should've verified with her by
calling her. No transaction is that urgent that it has to be done in an hour.

~~~
rwmurrayVT
It appears the CEO was purportedly on international calling. Perhaps this
wasn't an immediately available option.

------
Zikes
It sounds like there's a real market for a simple 2FA system for approving
large/urgent transactions like this. Something like Google Auth, but with a 30
minute window as opposed to seconds, to keep email viable.

Alternatively, the window could be made smaller if the accountant's 2FA client
kept a short history of valid codes and timestamps.

Then again, without a systematic lockout (i.e. putting this restriction into
the bank account itself) then the 2FA system could probably be socially
engineered away just like any other safeguard.

~~~
Nutmog
I know someone who's dad lost tens of thousands through a text message scam.
They asked for his password, and his hardware 2FA device code, and the code
sent back to him as text message. He gave all of that to an anonymous person
through text messages!

------
wolfgke
That's why firms should use email signatures for any email that is supposed to
be assumed to be authentic. In other words: The boss should have to sign this
kind of email with his private key. The public key distribution problem is
solved rather easily in firms (i.e. this is job of the local admin) opposed to
the open internet.

So not using well-known best pratices (email signatures created with private
key) is simply stupidity and these firms get what they deserve.

------
elchief
Some poor lady at work got "fired" by our "ceo". She cried. She got unfired.
Not sure why a scammer would try that exactly...

~~~
eli
That sounds more like a co-worker or someone else with a grudge, not a scam

------
jqm
No extradition treaty between France and Israel? That seems kind of strange.

------
morgante
I don't understand how you would ever think it's reasonable to make a large
transfer based on just a strange email from your boss. At least get them on
the phone.

~~~
laumars
Some CEOs run a company that way though. They will be blunt and impatient;
often sending e-mails like "just get it sorted". I can completely understand
how some might not even question the e-mails as being out of character.

~~~
r00fus
As another commenter said above - these are the ripest targets for such bogus
boss scams.

------
mny1
Isn't this potentially a great idea for a start-up?

A SaaS solution which simplifies / streamlines companies’ internal (and
potentially external) approval processes.. I am no expert in this area but a
quick google search shows only solutions which look cumbersome and overly
complex (or come as part of large and probably fairly inflexible CRMs).

I would probably target SMEs first, ie the sort of companies mentioned in the
article.

Anyway, if anyone thinks there may be an opportunity here and wants to talk
about this a bit more, drop me an email (address in my profile).

