Screenshot of a CEO fraud mail in which Prof. Dr. John Doe asks for help.

Business E-Mail Compromise / CEO Fraud

Summary

  • With BEC/CEO fraud, criminals send e-mails in the name of superiors and try to persuade those affected to take ill-considered actions such as buying gift cards.
  • CEO fraud e-mails often urge people to hurry and have an atypical style of language for the supposed sender.
  • Only the use of digital signatures offers real security regarding the true origin of e-mails.
  • Report suspicious e-mails to TUD-CERT and warn your colleagues!

Introduction

Business Email Compromise (BEC) or CEO Fraud aims to deceive employees by misusing the identity of their superiors. This form of fraud poses a serious threat to universities and companies alike and can cause millions of dollars in damage.

Criminals take advantage of the fact that the sender name and sender email address in unsigned emails are generally not trustworthy and can be freely chosen on the sender side. This is comparable to letters or postcards, on which you can also write any sender address. In contrast to conventional phishing attempts, which usually involve links to untrustworthy websites or malicious attachments, criminals use CEO fraud to try to persuade their victims in a conversation to take ill-considered actions. Typically, this involves the purchase of gift cards worth several hundred or thousand Euros. However, there have also been known cases in which transfers in the millions have been initiated: The Pathé case, for example, was picked up by the media with $21 million in damages.

How to recognize fraud attempts

While in conventional phishing e-mails with malicious links or malicious attachments, the sender’s e-mail address and name have practically no relevance and can be freely chosen by the attackers, business email compromise, or specifically CEO fraud, is a special case, as a conversation requires to maintain a communication channel. Attackers usually achieve this by combining a real sender name (typically that of a superior) with an e-mail address that actually exists but does not belong to the alleged sender name (and is controlled by the criminals instead).

In the example below, the e-mail pretends to be from Prof. Dr. John Doe, but was sent from the email address officialhead115@gmail.com controlled by the attackers. Replies to this email are therefore sent directly to the criminals, but not to the actual e-mail address of Prof. Dr. John Doe.

Header of an e-mail in which the sender's name Prof. Dr. John Doe does not match the e-mail address officialhead115@gmail.com.

Unfortunately, some e-mail programs only display the sender’s e-mail address after several clicks, which makes it difficult to quickly check for legitimacy. This is particularly a problem on smartphones, where the small displays reduce the immediately visible information to a bare minimum. For example, in the screenshot below, the sender’s e-mail address is missing:

Depiction of a CEO fraud e-mail on a smartphone. The sender's e-mail address is not displayed.

The procedure required to display the sender’s e-mail address depends on the app in use. Typically, a short or long tap on the sender’s name provides more information. Alternatively, check the e-mail on a PC before you think about replying. If you are unsure, ask your colleagues for advice or report the email to TUD-CERT.

Apart from the sender’s e-mail address, e-mails of this scam type convey a high level of urgency (“as soon as possible “), which is similar to conventional phishing attempts. In addition, their language style is often atypical for the perceived sender. However, you can only be absolutely certain of the authenticity of an e-mail if it has been digitally signed by the sender.

Dealing with fraud

The fact that Business E-mail Compromise is not just a theoretical problem becomes clear to us at TUD-CERT every day as we process incoming reports. In order to curb these fraud attempts, we block the sender e-mail addresses used by criminals as quickly as possible, but we are heavily dependent on your support. Unfortunately, fraud attempts are sometimes successful, which usually results in financial losses for those affected. We know from other universities that we are not the only ones to be confronted with such cases.

If you’re curious what dangers lurk in a reply to such malicious e-mails and how exactly the criminals proceed, we have prepared a graphic example of a case that occurred at TU Dresden in November 2023. The communication is anonymized and the victim’s messages have been rephrased, but the criminals’ incoming messages have not been changed.

12:10
12:12
12:13
12:15
12:18
12:19
12:23
12:30
12:46
12:53
12:57
13:02
13:05
13:37
13:57

Fortunately, the criminals’ greed was their undoing and the victim broke off communication right in time due to growing skepticism.

Report

How to report phishing attacks to minimise the threat.

If an E-Mail seems strange to you, please forward it to TUD-CERT. We evaluate them and initiate countermeasures if necessary. This way, we can reduce the risks of phishing e-mails, take phishing websites offline at an early stage and analyze malware distributed via E-Mail.

Currently we provide phishing reporting plugins for Microsoft Outlook and Mozilla Thunderbird, which can be used to submit questionable E-Mails to TUD-CERT with just a single click. For further details, please take a look at our installation and operating instructions. Alternatively, if you use E-Mail client software for which no reporting plugin is available, you can forward suspicious E-Mails directly to us via cert-meldung@mailbox.tu-dresden.de, ideally in raw format with complete header data. Please note that we will process all reports promptly, but will only get back to you if there are any follow-up questions.

Microsoft Outlook

The phishing report plugin for Outlook adds a button to the ribbon bar to report the currently selected E-Mail directly to TUD-CERT.

Screenshot of the Outlook plugin in use

Below you can download the plugin directly, for details please consult our installation and operating instructions.

Mozilla Thunderbird

Our phishing reporting plugin for Mozilla Thunderbird adds a report button to the message area, which can be used to report the currently displayed E-Mail directly to the TUD-CERT.

Screenshot of the Thunderbird plugin in use

The plugin can be installed directly from Thunderbird via the official Mozilla Add-On Website. For details please consult our installation and operating instructions. The Thunderbird plugin is available under an open source license, further development can be tracked in the associated repository on GitHub.