Background Image
Show me

How to spot CEO internet fraud attacks

Karl Sigler

Spot the difference – can you tell the difference between a real CEO email and a fraud? Karl Sigler, Threat Intelligence Manager at Trustwave, shows you how

Fraudsters have been using email as a medium ever since its inception, and most people probably believe they can spot a fraud from a mile away.

However, while individuals will still see Nigerian princes offering them a share in their fortunes, email fraud is increasingly being used by professional cybercriminals targeting businesses.   

In the US, the FBI has recently estimated losses in the region of hundreds of millions of dollars because of Business Email Compromise (BEC), and we are seeing an increase in the number of businesses reporting CEO fraud emails. Unlike the generic email blasts that have become a running joke, these emails are targeted and the best of them are difficult to spot.   

The basic premise is where the attacker will send an email, pretending to be the company’s CEO or another senior executive, usually to someone who is high up within the organisation in a department like finance or HR. The email will generally request sensitive information or for money to be transferred, and may also attempt to get the target to download a malicious file. These attackers are well informed, they will have a plan of which organisations they want to target and will have found the name and address of the CEO and other key people. Popular, professional social networking sites often make this task easy.  

Can you spot the fraud?

Like other areas of cybercrime, CEO fraud attacks are increasingly well co-ordinated campaigns, and we are beginning to see the same attempts hitting different companies. Below is an example of a real scam email we have encountered, with the names and addresses changed:   

From: Robert Smith <  

To:  Sue Brown   Subject: Please get back to me asap

Sue,    Please do you have a moment? Am tied up in a meeting and there is something I need you to take care of.  We have a pending invoice from our Vendor. I have asked them to email me a copy of the invoice. I will be highly appreciative if you can handle it before the close of banking transactions for today. I can’t take calls now so email will be fine.   


The email contains many of the common tactics scammers use to trick their victims into complying. The message is short, and the request for payment is urgent. They also claim to be held up in a meeting, preventing them from being contacted by phone to verify the request. An apparently urgent email from the boss like will have many employees rushing to comply, even if the request seems unusual. If you were to reply and were particularly astute, you may notice that the Reply to address is different from the From address. This is an indication that the email may be a scam.     

From: "Robert Smith" <>  

To: "Sue Brown" <>  

Subject: Please get back to me asap.   

Reply-To:   User-Agent: Roundcube Webmail/1.0.6

This is just one example of a CEO scam. Another example (below) takes a much more direct approach and will ask you to process a fund transfer and provide you with all the necessary details to complete the transaction. Again, it will appear to be sent from the CEO and will likely be as a result of some to and from emails with the scammer:   

Hi xxx,  

I need you to process a fund transfer into the bank detail below:   Amount: $28,850   Bank name: Bank xxxxx   Account name: xxxxx   Account num: xxxxx   Swift code: xxxxx   Route num: xxxxx   Key Interbank: xxxxx   Bank address: xxxxx, xxxxxxxxxxxxxx, xxxxxxxxx      Kindly get back to me with an electronic wire report confirmation when it’s finally processed.     

Regards,   xxxxxxx

More recently, we have come across fraudulent emails with attachments that point to malware. These emails will include a PDF document with an image asking you to update your application. If you click on the image it will prompt you to download a malicious data stealing executable from a Dropbox link. While most professionals should hopefully know not to click on download attachments from strange emails, combining it with CEO fraud takes email malware to a new level.     

Subject: Payment   Attatch: □ ORDER-002.pdf (35.6 KB)       □payment-info@#002.gz (49.9 KB)     

Hello,   Kindly download payment and revert.  

Regards,      Sent from my iPhone

Countering the fraud at the email gateway

Unlike more generic spam emails, because they are targeted and of low volume, fraud emails can go undetected even with the use of spam filters. There are, however, a number of options which can provide protection at the email gateway and keep the targets safe.   The misspelt domain name   This is where the attacker will own the misspelt domain name, which closely resembles your domain, but is usually off by one character.  

From: "CEO Name" <>

In this case, regular expressions can be applied to the From: line in order to identify the misspellings. Below are two regular expressions for a domain called These expressions are useful not just for these scams, but phishing in general. For efficiency, the regexes assume the first character is never changed, which is a fairly safe assumption because otherwise the domain would not look similar enough. Simply copy the pattern and apply to your own domains.

Character Substitution Regex

This expression identifies a domain where one of the letters in the domain has been replaced. It works by checking each letter for substitution (for instance [^m] means "any letter but m").   @e(?:[^x]ample|x[^a]mple|xa[^m]ple|xam[^p]le|xamp[^l]e|xampl[^e])\.com  

Character Addition Regex

This expression identifies a domain part where a character has been added. It works by matching even if   a single extra character has been added between each pair of letters [.?].  

Unrelated From Address but CEO name in From line

This is where the CEO's name will appear in the From "real name" area in the From line (perhaps also with the CEO's email address). However, the actual From: address is unrelated.  

From: "CEO Name" <>   Or   From: "" <>

To identify this sort of attack, header regular expressions can be used to look for the CEO's name or email address in the From line, and combine it with an inbound rule. The secure email gateway has the concept of inbound message, where the message is addressed to a local recipient. At the email gateway, CEOs should typically not be sending inbound mail, they should only be sending outbound mail. The regex can be fairly simple, like the one below:  


Raising awareness

CEO fraud emails have been increasing, not just in volume but in variety too and the use of malware shows how the scammers are evolving in their attacks. Implementing software to prevent this type of attack is only part of the solution. Staff must be made aware of this type of email and educated on typical inconsistencies which could indicate a scam. Having clear policies in place about how payments are verified and sensitive information is handled, particularly over email, will also help prevent employees from being fooled. If policies are set in stone, staff will be confident enough to question suspicious requests, rather than simply complying anyway to avoid ticking off the boss.       


Add a comment