Lions & Lambs: A Story of Social Engineering Fraud
Disclaimer: For privacy reasons, the identity and certain event details described in the Lowers & Associates #OurStory series have been modified.
Over the last several weeks, the Lowers & Associates (L&A) team has shared security insights on LinkedIn through a series we called “Our Work, Together.” Applicable across multiple industries and for companies of all sizes, these insights are drawn from L&A’s collaborative approach and decades of risk mitigation experience.
To build on this concept of shared work, we now want to turn the lens inward on our subject matter experts to gain a deeper understanding of how they acquired these insights. Specifically, we want to understand how their claims investigations or assessment experiences, for example, have shaped their current approach to risk mitigation.
In “Our Story, Together,” some of what you’ll read will be entertaining, some of it will be cringe-worthy, some of it will be downright sad. Part of our success over the last 30 years, though, is recognizing and celebrating that our team is the sum-total of its experience – good, bad, and ugly. Meaning, our shared personal experiences help our team shape perspective, communicate empathy, and define purpose, all of which inform our investigative and consulting work, adding value for our clients. Every L&A client requires a certain level of focus, and our team sharpens that focus by appreciating the journey together.
While this work together helps our team write its story, protecting our clients’ people, brands, and profits enables your business to write (and tell) its story. And we believe there’s still a great deal we can learn from each other.
This week, Brad Moody tells a story of social engineering fraud that, had the CEO created the culture of a high-reliability organization, may have had a different outcome (click here for L&A’s HRO resources).
Brad, one of the memorable jobs that has stuck with you involves the lion-loving CEO. What happened with that?
Brad Moody: So, I deployed to the location on behalf of our client, an insurance carrier, to investigate a client of theirs that experienced a huge loss that may or may not have been a cyber event. Our job was to figure that out. Well, what quickly became apparent was that the wire transfer process in place was well-documented, performed, and controlled. However, the CEO of this company was very aggressive and very intimidating to employees, and what looked like a cyber event was actually a social engineering fraud that was enabled by the CEO’s behavior.
What happened was, this CEO mentioned on social media that they’d be attending a conference at a specific time, and engaged with visible “marketing” dialog back and forth with the CFO of the same company (who was also set to attend this event), tagging one another in this public forum. Eventually, the Controller of the company also got in on the discussion. For a bad actor, this was plenty of evidence that, during that time, certain high-level decision-makers would be absent from and perhaps not paying full attention to operational details.
The bad actor in this fraud did indeed take advantage of all this information and created a fake domain name, switching two letters in the company’s name, like a lowercase “l (el) and an uppercase I (eye)” scenario. At the same time, the bad actor engaged with the HR department of the company in question under the guise of applying for a job. What they were really trying to understand was the email signature and naming convention (was it first initial and last name, full name separated by period, etc.). They did that until they eventually got a return email, which gave them the next piece of information they needed.
From there, the actor identified the CEO, CFO, and Controller’s email nomenclature and email signatures, which they were able to ascertain through a series of emails and out-of-office replies. At that point, the actor had enough information to carry out the fraud. Using the fake domain, the actor developed a fake email trail that began with the fake CEO “emailing” the fake CFO about sending a wire transfer. Affirming this fraudulent transfer, the fake CEO email then forwarded the series of fraudulent messages to the REAL Controller, demanding that this wire transfer be made, to the tune of over $8 million.
The message from the fake CEO to the real Controller was a very convincing message about how they were all out of office, and it needed to happen immediately for this top-secret merger and acquisition, etcetera. Unfortunately, the Controller wasn’t looking closely enough at the signature and prior chain of emails, but recognizing that this was a unique situation, responded by clicking Reply All, to which a response was sent to the fake CEO and the fake CFO asking for confirmation if the wire transfer was real. The bad actor replied as the CEO, “Yes, I told you make this happen, it needs to happen in the next 10 minutes.”
What’s comical about this is that the actor actually gave the wrong routing instructions for the delivery of the initial wireframe transfer, and the bank actually rejected it – it was to an offshore account in Singapore that didn’t exist because the bad actor had already closed it from another fraud! So, the actor replied to the Controller with the correct routing number, to which the Controller promptly wired the money. The CEO wrote back and insisted that it hadn’t gone through, so the Controller tried again and in a matter of minutes, this company lost not just $8 million, but $16 million.
That’s a rough one. What did your investigation reveal about how this happened and what was the coverage they had in place?
Brad Moody: Well, one of my recommendations ended up being around their control process. On paper, it looked good, but it was missing steps. There were obviously a few things that went wrong in this scenario, but clicking the Reply All button, that was bad. If the Controller had typed in the email of the CEO and CFO, autofill would have helped the Controller out. Likely, they would have noticed the discrepancy in time and there would have been at least some hesitation, for sure. But I’ve seen this exact thing happen now in three different fraud cases after the fact, so it continues to work for the bad guys.
Once we’d printed everything out, we were able to see clearly what happened. At this point, the FBI has been engaged and everyone is looking at what went wrong, but our job was to determine on behalf of the insurer if this was a cyber-crime or social engineering. Unfortunately for this business that experienced the loss, this was an act of social engineering and their policy only covered social engineering up to $10,000.
What was the fall-out?
Brad Moody: There were some other things we noticed going on and this looked to be an actor that had some familiarity with the group. The CEO also had some odd things going on in their personal life but removing the CEO from their role at the company was as far as it went, and no one went to jail.
In terms of process, you know, we went in there, and it’s our job to quantify the loss. This was a true breakdown in controls, driven by a lack of empowerment in the organization. It’s something that’s very simple and that can happen. But you think about process and, we’re still people, right? Just pick up the phone and call somebody! Sure, email and text are easy, but those can offer diminishing returns sometimes.
Another thing to remember is that banks aren’t required to stop or shut down transactions; they are given instructions on what to perform, and if you tell them an action is OK, it goes. So, as part of this process, for example, there should have been a call to the bank from the company that indicated before it happens, “Hey, I’m going to be performing this large transaction.” Part of the training is the relationship building with your financial institution, it’s so important.
This CEO really had their people tightly wound, huh?
Brad Moody: When we walked into the CEOs office, it was shocking, actually. You know how some people have inspirational posters of some mountain top and it says, “Life” or something? This CEO had a picture of a lion and the message said “Intimidation is the only way to rule your employees” or something to that effect. Turned out this person was the one who got their lunch eaten.