• CEO email fraud becoming rampant with hackers targeting high officials

    In August 2015, a top official of one of the Indian regulators wrote a note to his IT team asking what they were doing to protect his emails. The official had enough reasons to be concerned as every decision that the regulator takes directly impacts the economy. The official’s fears weren’t unfounded too. Email hacking is now the leading information security concern among chief executives in India.

    Over the past one year, there has been a sharp uptick in email fraud. Hackers are increasingly targeting the top management of companies to retrieve confidential information, costing them millions of dollars. Tarun Wig, co-founder of Innefu Labs, an authentication security firm, says email hacking is the latest and probably one of the biggest challenges of information security. “In the corporate environment everyone is scared their email could be compromised, the impact of which could be on the professional or personal level.”

    Indeed, hacking of CEO mails is now rampant globally. According to the US Federal Bureau of Investigation, a scam in which criminals impersonate the email accounts of CEOs has cost businesses around the globe more than $2 billion in just over two years. The FBI has seen a sharp increase in “business email crime,” a simple scam that is also known as “CEO fraud”, with more than 12,000 victims affected globally and a 270% increase in the number of identified victims and exposed loss since January 2015, including in India.

    Easy Targets: The targets are usually high-level executives (CEOs/ CFOs etc) at medium and large organisations. The attackers target businesses working with foreign suppliers or businesses that regularly perform international money transfers. In India, examples are legion. The CEO of a Noida-based organisation was blackmailed into paying $40,000 to a group of people who had hacked into his mail and found pictures of him in compromising positions. In January, one of the “unicorn” startups in India discovered that a malware had entered the system.

    The malware had surreptitiously lurked on the company’s systems, invisible to most eyes and targetted the email ids of the CEO, CFO and eight other senior executives. It then began sending emails to an unknown server in Europe. Fortunately for the company, “nothing important was compromised”. In another case, a well-known CEO of a big Indian company, who is now retired, was targeted. Last October, the CEO got a threatening mail from a person who claimed to possess private emails. Some mails were sent as proof. The sender demanded money for not making public the emails. The CEO called a cyber-security expert who found that a hacker had managed to access his emails while he was in Europe. The cyber security expert believed that this was a targeted attack.

    The security expert refused to share the detail whether or not the money was paid to the hacker or what were the contents of the email. “While globally BEC (business e-mail compromise) is on the rise India has been among the top targets for hackers in the last one year,” says Burgess Cooper, partner – information & cyber security at EY. Wig says the government too is vulnerable to hacking. “If I want to make money as a hacker I can just hack into 15-20 mail IDs and carry out stock market trading using insider information,” says Wig, who works with government and private companies to combat hacking. There have been several cases in the past of government agencies coming under the glare of hackers.

    Recently, the e-mail account of a finance ministry spokesperson was hacked. Last year, fear of Lalit Modi’s email hacking spooked critical government officials who were reported to be growing rapidly averse to electronic communication for fear of being intercepted or hacked into. In 2014, India ranked second on a list of countries most targeted for cybercrimes through social media, following the US. The National Cyber Security Policy of India, announced in 2013, aims to create 500,000 skilled workers in the field of cyber security in India by 2018.

    “Over 100 billion emails are exchanged every day, and not one of us has got any formal training about using them responsibly. CEOs are no different. Targeting them especially becomes easy as they are generally public faces,” said Saken Modi, CEO, Lucideus Tech, a cyber-security firm. Problem is many Indian companies have become bigger, the hackers are going after the emails of the top guns, say industry trackers.

    In March, Flipkart’s finance chief got an email from an account that looked similar to that of cofounder Binny Bansal, with an instruction to transfer $80,000 to a bank account. Flipkart said it was a spoof where the email originates from an outside source with a falsified name and address and that its email accounts were secure. “Data security is of utmost priority for Flipkart… We use Advanced Encryption Standard (AES) to ensure data security,” says a company spokesperson. While Flipkart, a new-age company, may have put up safeguards against cyber threats, many others may not be prepared to handle such issues, with cyber criminals becoming more and more sophisticated.

    Callous Attitude: Experts say that often the top managers are quite careless. In one instance, the top boss of one of the biggest banks in the country was sitting in the lobby of a Mumbai five-star hotel and checking his bank statements in his emails after using the hotel’s WiFi. “When I pointed out to him that this could be dangerous, he just dismissed the whole thing saying I was being paranoid,” says a partner with a cyber-security consultancy who met the boss to exchange pleasantries. Experts say though there is concern among companies that their emails are prone to attack most of them are still quite casual about dealing with it in a planned manner.

    Many CEOs maintain more than one email thinking that security of one is not important. The opposite is true. “If a hacker can get into one account whose password your secretary knows, rest assured they can hack into all your emails,” claimed an ethical hacker. According to Lucideus Tech’s Modi, it just makes the job of a hacker easier to force their way into an account. If that doesn’t work, the next step generally is to send a targeted spear phishing email from the sales/marketing head with an excel sheet titled say, “Projection Plan – Q1”, which if clicked is enough to give a hacker a lifetime access to the CEO’s system. “Most would fall for it. There is clearly a large gap in the awareness and dependency on emails.” 

    Share This