How Email Scammers Are Using Marketeer Methods to Target CFOs

December 4, 2018, 12:46 PM UTC

Online criminals are using commercial data providers to target company executives — mostly chief financial officers — for email-based fraud, according to a new report by an email security firm.

Agari published the report, into a British-Nigerian gang known as London Blue, on Tuesday. London Blue apparently started with Craigslist scams before graduating to more sophisticated crimes, in particular, the attack known as business email compromise (BEC) or CEO fraud.

This involves sending emails to executives that purport to come from executives at other companies, typically suppliers. The emails ask for wire transfers, and they often work — this sort of scheme has relieved companies of as much as $100 million apiece, and the FBI said this year that the total losses amounted to $12.5 billion.

The scammers often simply register free webmail accounts to send out their emails, in the name of real people that the recipients would recognize and trust. But how do the scammers know who to target?

In London Blue’s case, the gang does what many marketeers do: they turn to the commercial data providers that have built up extensive profiles of most of us.

“Most recently, the group has relied on a San Francisco-based company to generate ‘leads.’ Using this service, London Blue is able to collect comprehensive information about targets, including name, company, title, work email address, and personal email address,” the report read. “All of the potential targets London Blue collects information on have financial roles in their respective companies.”

Agari said 71% of the targets it had identified held CFO roles — understandable since these are the people holding the purse strings.

Data brokers have traditionally operated very much behind the scenes, but their profile-developing activities are starting to attract more attention — particularly in the European Union, where their tactics could fall foul of the strict new General Data Protection Regulation (GDPR) because people don’t realize their personal data is being collected and glued together in this way.

“This data gives the group the initial information needed to start preparing for their phishing campaigns. After collecting this information, the group then likely conducts further open source research to identify the names of CEOs affiliated with the companies they will be impersonating for their BEC attacks,” Agari’s report read.

More than half the potential victims were in the U.S., the firm said, with the rest being in countries including Spain, the U.K., Finland, the Netherlands, and Mexico.