The NJCCIC continues to receive reports of scams targeting and impersonating business executives using social engineering tactics. Threat actors perform reconnaissance on organizations to target and impersonate business executives, including chief executive officers (CEOs), supervisors, administrators, directors, and managers. They impersonate these high-profile individuals primarily through spearphishing, whaling tactics, and business email compromise (BEC). The threat actors employ email spoofing by creating email addresses similar to legitimate ones and changing the sender’s display name, subject line, and signature. They also create authority and urgency to pressure their targets to immediately act on generic or legitimate business requests without scrutiny.

In one campaign, threat actors impersonated a school principal and sent a phishing email from a non-work domain. They claimed they had information to pass and requested the target to share their direct phone number with them. Once the target provided the phone number, the threat actors moved the conversation with their target to text messaging. They further claimed that they were tied up in a meeting and asked the target’s availability to complete a quick task under the guise of a legitimate business need. If the target was available, the threat actors requested them to go to a nearby store to purchase multiple gift cards with high denominations to surprise the staff and then send pictures of the gift card numbers and PINs. They also claimed to reimburse the target later.

In a similar campaign, threat actors claimed to be the CEO of a financial institution. The threat actors sent a text message to the target requesting their availability in an attempt to divulge sensitive information or perform unauthorized actions. In another campaign, threat actors impersonated the head of an educational institution. They created a free Gmail account with the impersonated business executive’s name in the username to appear legitimate. They sent similar inquiries to see if the target was available and requested the target’s phone number.

Threat actors targeted a financial institution’s chief financial officer (CFO) to gain unauthorized access. Although the CFO enabled multi-factor authentication (MFA) on their email account, they mistakenly approved the login request without scrutiny. Once the threat actors compromised the account, they impersonated the CFO to send fraudulent emails.

In a sophisticated scheme, threat actors targeted and emailed a business executive of a financial institution. They claimed to be a legitimate vendor and created a purported conversation thread between the business executive and themselves. The supposed legitimate vendor also created a fake invoice and claimed it was unpaid. The business executive advised them to contact their assistant for confirmation and payment. Ultimately, the scam was identified, and payment was stopped when the business executive reviewed the communications and indicated they did not send those emails. A review of the logs revealed that the business executive’s account was not compromised but that the threat actors falsified the unpaid invoice.

Threat actors in business executive scams attempt to steal sensitive information or funds or compromise accounts. Although the reports highlight the targeting and impersonation of business executives at educational or financial institutions, all organizations should remain vigilant against these scams.

Recommendations

• Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
• Exercise caution with communications from known senders.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Type official website URLs into browsers manually and only submit account credentials and sensitive information on official websites.
• Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• If the account has been compromised, log out of all devices, revoke any access tokens, and reset passwords.
• Report these scams and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.