The Cloned CEO Email Scam: The Hack That Could Bankrupt Your Company

Over the past three years, companies have lost well over $3 billion to scammers who use cloned CEO emails to get money wired to them. This number is expected to rise sharply as so-called BEC (Business Email Compromise) scams have increased 1,300% since 2015. In other words, there is something about these scams that makes them seem legitimate to those targeted.

This is not your simple Nigerian prince scam which randomly targets victims. This scam targets specific companies of any size but especially those which have international connections. This is because they need to have the money they steal sent to international banks, which are primarily in China. So if your company has business dealings with China, pay especial attention to the information in this post.

The gang(s) behind this scam first do research to identify appropriate companies. When they find a potential victim, they will try to get into their networks in the usual spear-phishing-scam way. This may be, for example, a legitimate looking email from a vendor asking the victim to visit a certain site or download a certain document. In so doing, of course, the victim is installing malware on their network-connected device. Once inside the network, the attacker learns more and more about the company. They eventually identify those employees responsible for transferring payments. The malware enables them to read all of the communications that occur with the financially-empowered victim. The attackers are especially interested in communications from those higher in the organization which ask the employee (victim) to make a money transfer. The attackers clone this correspondence and use it when they later target the victim to send money to them. The message below is an example of this.


At other times, the attackers find a similar email in the victim’s inbox and clone it, as in this case.


The attackers may further cover their tracks by sending such requests when a CEO is on a business trip or vacation. This may make it more difficult for the person receiving the request to check for the legitimacy of the transfer by conferring with the CEO and, therefore, increases the likelihood of the scam’s success.

The FBI has identified 5 variations of this scam.

Scam Variation 1:

 A trusted supplier sends an invoice to the company. The invoice appears to be legitimate. The account may not have the same number as the usual account, but the invoice will explain they need the money sent to this alternate account. Almost as soon as the money is received in this new U.S. account, it is transferred to the scammer’s overseas account.

Scam Variation 2:

 A request for a money transfer is made from the compromised email account of someone in the higher levels of management. These scams are difficult to spot since the email address checks out. The request seems perfectly legitimate. Sometimes, the financial institution (bank) itself receives the request to send money from a legitimate account to an account at another bank. Possibly, some reason is given for this. If the bank/financial institution sends an email back to the executive to confirm the transfer, the attacker can intercept the email and okay the transfer.

Scam Variation 3:

 An employee’s email account is compromised. This email is used to send requests to clients/associates for invoice payments to be sent to a specific, attacker-controlled account. These invoices will look identical to ones that these entities may normally receive from the company and, therefore, may arouse no suspicion. Again, if the vendor does not check on the request through a phone call, they will not know they were scammed until they receive an almost identical, but valid, request with the regular account number.

Scam Variation 4:

 Scammers posing as lawyers or as employees of a law firm contact an executive and convince him/her that money needs to be quickly transferred to head off some sensitive development. The emphasis is on performing this transfer quickly. These scams take place towards the end of the work day or work week so that it is difficult or impossible for the executive to check the veracity of the claim.

Scam Variation 5:

 A compromised executive’s email account is used to ask an employee in charge of taxes or personal employee information (e.g. HR or accounting) to send them copies of this data. The attackers, posing as the executive, may ask for W-2 tax information or other personal data on employees. This can actually precede one of the above variations as the attackers want to identify those employees who may be working with fund transfers. They may, of course, simply want to use this information to perpetrate some sort of tax fraud or to sell this information on the deep web. It is also possible that such attacks can be used for industrial spying purposes.

So what can you do?

As cyber security expert, Brian Krebs, notes “I’m always amazed when I hear security professionals I know and respect make comments suggesting that phishing and spam are solved problems.” True, they are not. They are the most used methods to compromise individuals and, through them, a corporate or institutional network. Just ask the DNC.

The anti-phishing security firm, PhishMe points out, after they successfully fended off a CEO clone attack, that

“ – Intrusion Prevention Systems did not stop this attack.

– Application White Listing did not stop this attack.

– Two-Factor Authentication did not stop this attack.

– Sandbox technology did not stop this attack.

– Next-Generation endpoint protection did not stop this attack.

– URL-Rewriting did not stop this attack.

– Big-Data-Machine-Learning-Hadoop-Clusters did not stop this attack.”

There are, however, some basic preventative measures that you can take. If the attacker is spoofing a CEO’s email address, you will see the correct address in the “From” line. It will look like this: Joe Smith <>. However, if you push “Reply”, you will suddenly see a new email address in the “To” line, which may look something like, Joe Smith<>. This will be the fraudster’s true email address.

It becomes more difficult if the CEO’s email account has been compromised. It may be impossible to tell a fake from a legitimate request. In this case, the best action would be to ask the CEO in person to confirm the request. Barring that, a phone call could be used. However, it must be kept in mind that elaborate scams could even involve phone or SMS spoofing. CEOs need to make it clear that employees should not hesitate to contact them when any financial transaction needs to be confirmed. Too often, lower level employees are hesitant to contact higher level management because they are afraid they may be looked upon as being an annoyance. This addresses the corporate culture as a whole.

Companies and institutions should be familiar with the billing habits of their associates. Scammers will often make invoices look similar to past invoices and the amounts requested will be reasonable. Always be cautious of invoices asking that payments be transferred to a new account. Always check account numbers. Do not verify requests through phone numbers that may be listed on the invoice. Use phone numbers that were on previous, legitimate invoices.

Having a company email server may be a safer option, but it is not foolproof. Good phishing scams can get through corporate network firewalls to do their dirty work on employee email accounts. Educating employees responsible for making money transfers is probably the best practice. In addition, having management that encourages or even requires double checking all transfers can be helpful. This only highlights the fact that cybersecurity for any company or institution is a team effort.


2 thoughts on “The Cloned CEO Email Scam: The Hack That Could Bankrupt Your Company

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s