In June 2015, the US-based technology company Ubiquiti incurred a loss of over $46m as a result of a scam involving an email sent to the company’s finance department, purporting to be from an employee. In this type of scam, the email usually claims to originate from an executive or other senior member of staff, and instructs a member of staff to make a payment transfer – allegedly to cover a corporate transaction – but which actually passes the funds into an account under the control of the fraudster.
The FBI has stated that attacks of this nature typically cost companies between $25,000 and $75,000 per incident, with an estimated total loss of over $2bn over the three-year period to 2016. These scams are often made more convincing by the use of a specially registered, brand-specific domain name, which can be used to construct a convincing ‘from’ address for the email, or by ‘spoofing’ the originating email address, so it appears to have been sent from an account within the company’s official network. Organisations can mediate the risks associated with such techniques (to some degree) by implementing a policy of purchasing defensive domain-name registrations, by proactively monitoring for the registration by third parties of cybersquatted or typosquatted variants of the company’s official domain name, and by the use of technical systems such as DMARC, which provides visibility of cases where email addresses have been spoofed. Part of the solution is also the need to raise awareness of this type of scam amongst employees, plus instigating policies such as two-factor authentication (such as confirming details by direct telephone call, in cases where money transfers are to be made).
The ‘CEO email’ scam is, unfortunately, only one type of online scenario where company employees are impersonated for fraudulent gain; the occurrence of the fake social media profile is also increasingly common. The use of fake profiles on networking sites such as LinkedIn can be one way for fraudsters to establish networks of contacts, with the goal of identifying suitable candidate recipients for their highly-targeted scam emails.
Fake company executive profiles on social media can also be used by cybercriminals in a number of other ways, such as:
- Comprising an element of a highly convincing advance-fee fraud
- As a way of using social engineering to extract sensitive company information
- As a means of collecting contacts for the distribution of malware
A study published in late 2016 found that, of the Fortune-500 company CEOs with a presence on Twitter and/or LinkedIn, 19 per cent were represented by multiple Twitter accounts and 9 per cent by multiple LinkedIn accounts, with the inference being that many of these duplicate accounts were likely to be fakes. The scale of this issue highlights the importance of organisations putting in place a programme of monitoring for the appearance of fraudulent profiles online. Once identified, it is often possible to have the fake content removed by sending a takedown notice to the social media site in question, many of which consider impersonation or fraud to be grounds for deactivation of an account.
As with many types of fraud, individual employees should also be encouraged to be on the lookout for suspicious activity. On social media, non-legitimate profiles may feature a number of indicators that they are not genuine, such as unusually small numbers of contacts, ‘friends’ or endorsements for the profile, a lack of detail or accuracy in the profile’s history, or the use of an account that is neither ‘premium’ nor ‘verified’.
David N. Barnett is head of analysis and consultancy in the Brand Protection team at NetNames (a CSC company), and author of Brand Protection in the Online World (Kogan Page, December 2016). People Management readers can save 20% with code BMKPM20 when they buy the book.