Successful Product CEO-Fraud – An old scam yet the danger remains present

Successful Product CEO-Fraud – An old scam yet the danger remains present

The publicity around CEO Fraud may have calmed down, yet it is not yet extinct and still remains a serious threat. CEO Fraud, also known as ‘bogus boss’, still leads to digital larceny by deception, and thus causing displeasure and high economic damage for several companies such as a German company in the hessian rural district Groß-Gerau. Unknown cyber criminals were able to capture a sum of $380,000 Euro by successfully using CEO-Fraud. In 2016 alone, the total amount of monetary loss worldwide caused by this scam method was about $3.1 billion US dollars. That matched the profit made by Volkswagen in 2017.

Key figures on CEO Fraud in companies

Million euros a year, a group of cybercriminals captured by CEO Fraud in Germany between 2014 and 2017


success rate in CEO fraud attacks according to Info Security Magazine

How is it possible that the success rate of cyber criminals is still extraordinarily high even several years after its discovery as a tool used by cyber criminals? In the following text we will look at the procedures and the sophisticated fraud techniques of the offenders in order to improve the comprehension of the success of the scam.

Perfect Planning is half the battle: The Preparatory Stage of the CEO-Fraud

The target of CEO-Fraud is usually one single person. In most cases, an employee in the accounting department with direct authority to execute bank transfers. In order to execute the scam and make it appear as authentic as possible, extraordinarily good preparation is needed at the start of the scam. The magic word here is Social Engineering. Social Engineering means cyber criminals try to gather as much information as possible about their victim. They find such information on social media channels like Facebook, Linkedin or Xing. Most of the time, it’s easy to acquire personal information such as job title, place of work or even the complete organigram of a company.

Cheating and Feinting: The Offensive Stage of CEO Fraud

If the blackmailer has gathered enough information on their target they make the first contact and begin the offensive stage of CEO Fraud. The offenders now must accomplish a certain familiarity with the targeted subject. They do this by referring to current topics of the company in their email. This topic could be an upcoming acquisition or the latestsales figureswhich can be withdrawn from previous press releases.

To put the crown on the scam, some cyber criminals create an email address that is similar to the one of the CEO. In this connection, it is a perfidious trick to replace certain letters with letters that look extraordinarily similar. The letter L in mueller@examplecompany can for instance be easily replaced by a capital I. For the ordinary person, this scam also known as Spoofing can only be recognized by close scrutiny.

Another trick utilized by cyber criminals is the use of an existing emal communication. For example, if the offender knows with which person the CEO of a company usually communicates with and what topics are usually discussed, the perpetrator can counterfeit such communication. Fake logos and email signatures complete the picture of a completely legitimate email communication.

It’s in the email itself where cyber criminals dig deep into their bag of psychological tricks in order to initiate the transactions they desire. A commendation for the work of the targeted subject or the buildup of pressure can be used to trick the subject. Often, the offenders pretend to need a transfer of money to be sent as quickly as possible because an important and discreet deal could fail. It must be discreetso the targeted subject does not inform other colleagues about this affair which could end the scam.

What accounts for the success of the scam?

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

In most cyber attacks, employees are the largest risk factor. The Federal Office for Security and IT (in German: Bundesamt für Sicherheit und Informationstechnik, short: BSI) has previously warned the public about the careless handling of personal data. However, companies contribute to this by publishing a multitude of information on social networks for marketing purposes. Just like that, the offenders have little difficulty accumulating a substantial amount of information to assist in the success of their scam.

Another crucial factor of the scam is the psychological component. Cyber criminals specifically and shamelessly exploit emotions like respect and trust for a manager or owner of a business in order to manipulate their victims.

How do I protect my company from CEO Fraud?

A healthy amount of skepticism and the right education are the essentials in the battle against the bogus boss. From the perspective of a company, it makes sense to work against the ignorance of many employees with regular cyber threat information or training events. This way, the tricks of the scammers like the scrambled letters or fake signatures can be specifically pointed out.

Also, the use of an email encryption service provides relief since a fake or missing signature automatically attracts attention. For thosewho are not sure despite all these precautionary measures a telephonic reinsurance from the pretended sender of the email is useful. This requires a smallinvestment of time and can prevent a possible scam from even taking place.

Meanwhile, there are instruments and methods to deter such fraudulent emails ending up in the inboxes of the employees. Managed Security Services, like the Advanced Threat Protection by Hornetsecurity are able to see through complex attack patterns like the CEO-Fraud and block it in the forefront using sophisticated forensic systems. Once an attack is detected, ATP sends an automatic notification to the security personnel responsible for thwarting such an attack. The result, CEO-Fraud and other scams have no chance of success and your employees can focus all of their attention on their important tasks once again.

Additional information:


“For your safety” – Beware of fake ING-DiBa emails

“For your safety” – Beware of fake ING-DiBa emails

Cybercriminals are currently trying to obtain sensitive data from ING-DiBa customers with dubious fake emails. The fake email claims that a problem has occurred during a routine security check of the online banking system. It advises that customers should immediately log on to an external website to avoid troubles with their bank.

However, in reality, this is a phishing attack that tries to collect personal information. In the following blog article, you will learn in detail how to protect yourself from fake emails or phishing attacks.

The fake email from our example

Fake E-Mail

A German ING-DIBA fake email (click for zoom)

The adjacent picture shows the detailed structure of the fake email – allegedly sent by ING-DiBa – in an iPhone mailbox. In fact, the email is part of a mass phishing attack and the message was sent fraudulently to a variety of email recipients.

For example, the subject line states “For Your Safety (Reference Number: xyz)”, and the presumable arbitrary order of the combination was set to “kx5qrvnzx3h” in this case. Before we blackened the personal information for reasons of data protection, we noticed that both the recipient’s address and the sender’s address had the same information. This was already a first indication of a fake email.

This scam is not uncommon amongst perpetrators when it comes to gathering information about their randomly selected victims via phishing. Those affected are especially inclined to follow the attached link if the phishing or fake email is opened on a mobile device, as it is in this case. This is particularly true if they are actual customers of the bank mentioned in the email.

In everyday life, too, recipients of phishing emails are also quick to follow the link when receiving such an email. The attacker offers the targeted person appropriate options in case a recipient does not have an account with ING-DiBa. In our example, the recipient has the opportunity to follow a flashy red button and allegedly communicate that he is not a customer of ING-DiBa. The destination of the link, however, is a phishing website, which is intended to tap user data in a big way from the mostly unsuspecting victims. The fake security notification of ING-DiBa is not an isolated case.

6 tips to detect phishing or fake emails

With the following tips, you will be able to detect phishing or fake emails to protect yourself from being affected by such attacks.

Feature No. 1: The salutation

It is striking that either a standard phrase is used to address the target person, or the salutation is completely missing. Very rarely recipients of phishing emails are addressed with their whole name. This is due to the fact that fake emails are not isolated cases, but often automated emails which are sent out millions of times. Individual addresses are rather the exception. In our example there was no address at all.

Once the victim has entered his details into the according form fields and pressed the confirmation button, the cybercriminal is in possession of the login details. Now he can make orders in online shops under false names or get access to sensitive account or company data. The phishing attack has been successful.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Feature No. 2: Content of the email

A phishing mail is contextually designed to hide the true intentions towards the recipient at least until he first clicks on one of the attached links. These following baits are very popular with cyber crooks:

  • Fake emails in the form of alleged PayPal security notifications
  • Phishing emails which seem to come from banks or other institutions
  • Fake email notifications that seem to come from Amazon or Ebay
  • Fake security issues in social media accounts that need to be resolved promptly

This shows that cybercriminals are very creative when it comes to fooling their victims.

Feature No. 3: The call to action

Once the attacker has created and sent out his fake email, he urges the recipient to act. In this specific case, the targeted person is initially led to an external page by clicking on a link. This page usually resembles closely the login area of a bank, an online retailer or any other company that offers certain Internet services.

Feature No. 4: The time shortage

An effective means often used by attackers is the limitation of time. This is an attempt to put the victim under stress and distract it. In our example, this is stated as follows: “Please log into your account as soon as possible to avoid any delay in your banking activities.”

Fear-spreading phrases in the subject line, such as “Your account has been suspended” or “An amount has been debited from your account” are also quite popular and common. These sentences cause some recipients to panic, so they follow the attached link without much thought.

Feature No. 5: Questionable buttons and links

In order to successfully carry out the process of phishing, a related link in text or button form is part of the standard repertoire of any phishing or fake email. This is also the case in our example.

Therefore, when it comes to questionable security queries that have a link, we recommend that you do not access these links from your email program. Instead, you should always directly log in to your user accounts via a browser or via the official website of the provider. This applies to online services of any kind.

Feature No. 6: This is how reputable companies and institutes work

As far as the detection of phishing emails or fake emails is concerned, it should always be remembered that reputable companies or institutes would never ask you to disclose personal information via email.

For this reason, various banks regularly point to the problem of fake emails or the so-called phishing mails. One bank states for example:

“Volksbank Raiffeisenbank or BVR will never ask bank customers for personal information such as PIN or account number via email. Neither will we insert a link to online banking in emails or ask bank customers to make test or remittance transfers. These practices are always indicators of attempted fraud.” (Source: Volksbank Raiffeisenbank)

Therefore, you can delete such an email immediately. This is ultimately the simplest way to counter a phishing attack.

Additional service information

Dangerous Amazon phishing emails cause trouble

Dangerous Amazon phishing emails cause trouble

Reputable and hardly suspicious – that’s how phishing emails, which have been circulating for several months and which allegedly come from Amazon, reach the mailboxes of many users. The reason for this is that those emails do not appear to be a cunning fraud but quite the opposite. They are so good in copying the design of a real Amazon email that they are hardly indistinguishable for end users. In addition, the cybercriminals use a personalized form of address in these phishing emails, which adds weight to the credibility of the email.

Example of such an Amazon phishing email

Example of such an Amazon phishing email (Click to enlarge image).

A phishing email personalized in this way is referred to as a “spear phishing attack”. These targeted attacks aim specifically at a single person or group of people. The behavior and personal data of target persons are spotted in advance in order to personalize the spear-phishing email the best possible way. Those fraud emails can only be identified through the sender address with which they were sent. These can, for example, be as follows:

More detailed information about possible sender addresses, the structure of phishing emails and content can be found here.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

What do the attackers want to achieve?


Referring in the email to the Federal Data Protection Act, the victims are requested to verify their data. By clicking on a link, they are redirected to a fake website that is almost indistinguishable from the real Amazon site. On closer inspection, only the URL used does not match that of Amazon.

On the fake sites, the people concerned should then disclose data of themselves. Otherwise the hackers threaten to block access to the account, as shown in the example above. This is, of course, a hollow statement. Anyone who responds to this request, however, transmits his data directly to the fraudsters. The cybercriminals use the obtained data to make purchases at the expense of the person concerned or to misuse them for other criminal activities.


Does Hornetsecurity Advanced Threat Protection detect fake emails?


Hornetsecurity Advanced Threat Protection is able to detect the new Amazon phishing emails as well as other targeted attacks. Safety mechanisms including Fraud Attempt Analysis, Identity Spooning Recognition and Intention Recognition can filter out threats of this kind. A loss of sensitive data can thus be prevented and Amazon phishing emails do not even get into the mailboxes of a company or employees.

Additional service information

DDoSage too high for your own protection measures

DDoSage too high for your own protection measures

When Denial-of-Service-attacks paralyze organizations


You often read news reports which state that a DDoS attack was responsible for the breakdown of a company’s website. Such an attack uses hijacked systems to intentionally generate a flood of data which paralyzes a company. Amongst others, email servers are frequently subject to DDoS attacks.


These attacks lead to the unavailability of websites and other services for a certain period of time. This outage of service can span from a few minutes to a few hours and even multiple days. Downtime – a nightmare for every organization.


DDoS attacks are not only able to hit the IT-structures of big international firms, which usually have well-engineered security concepts, they can harm smaller companies as well. Public institutions, administrations and authorities are also targets of these attacks. The reasons behind them are manifold: They can be traced back to the pure enjoyment of ‘destruction’, but the intentional harm of competitors or foreign governments can also be motives for these actions. Even hate and vengeance often cannot be ruled out here. For this reason, resorting to a reliable security system is inevitable.


DDoS attack: Digital vandalism impairs reputation


Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Each second in which, for instance, a mail server or certain kinds of website services are unavailable is expensive for an organization. This is especially true for companies which primarily process their transactions and offer their products and services online. The same goes for business divisions which handle their customer support services using email. The costs, however, do not only derive from the lost revenue during downtime. Having to quickly take measures of defense and potentially needing assistance from external experts can likewise become a cost driver. On top of everything, the impairment of the company’s reputation is another problem.


A company which the customer does not trust will not be able to have a solid long-term business base. For this reason, it is understandable that nearly 50 percent of affected companies keep quiet in the event of a cyber-attack. The fear of having to publicly admitting to a damage of their image is too severe.

This form of damage control might work in cases of simple cyber-crimes. It does not suffice however when it comes to DDoS attacks or forms of attacks that are a lot more complex. That is because these attacks do not only disrupt the activities and processes of the business unit, but often also cut through to the outside. Customers then notice these disruptions since they are directly affected by them as well.


Reliable IT security concepts are the solution


Companies should therefore be ready for DDoS attacks and every other form of cyber-attack. Security solutions such as the Hornetsecurity spam filter service are able to recognize a DDoS attack on a mailing server early enough and to fend them off. In the case of more complex forms of attack, like ransomware or identity theft, it is recommendable to use Advanced Threat Protection. This is a security solution which reliably recognizes and inhibits ransomware, blended and targeted attacks as well as digital espionage. Advanced Threat Protection’s (ATP) special analysis engines ensure this process. You can learn more about this here.


How can companies protect themselves from a DDoS attack?


But back to DDoS attacks. To prevent these, companies and authorities should take certain security precautions. What to do to effectively protect oneself from a DDoS attack.


1. The explosiveness of a DDoS attack


In principle, every organization can become the target of such an attack. Ultimately every firm and every administration must ask itself: “What would be the consequences of an outage of the mail server for me?” This question is important as the force of a DDoS attack can take shape in different strengths in the business environment. Downtime will be severely worse for a retailer who manages his shop online, compared to a local craftsman’s establishment. The result however is not much different for either of them. In the end, both want to maintain communication with their customers via email. For this reason a security concept is absolutely essential.


2. IT risk management


It is also important that the company takes precautions and implements specific courses of action in case of a DDoS attack. Should it come to a cyber-attack, a contact person should be immediately available. This could be an IT security officer in the company itself or an external employee of an IT service company, which offers appropriate security services and looks after IT security management.


3. Response to blackmail


Similar to ransomware, a successful DDoS attack, as a popular method, can be attached to a claim for money. This is a profitable business model for cyber criminals. This is especially true because the affected companies often agree to the offenders’ claims to avoid allegedly severe consequences. The BSI advises not to be susceptible to blackmail and to refuse to pay these respective sums of money. Instead, those affected should get the police involved and get support from professional IT security experts.


4. Implementation of defensive measures


The most important measure to avoid a DDoS attack is to not let it occur in the first place. For this purpose a competent IT security solution is vital – ideally, one that is cloud-based. The reason for this is that these providers have a much more powerful infrastructure and are able to parry even severe attacks without problem. In addition to that, customers do not have to worry about the installation and maintenance of the hard and software.


Additional information:



Interview with Tsigab Gebre – Trainee Service Operations Center

Interview with Tsigab Gebre – Trainee Service Operations Center

Tsigab is doing an apprenticeship at Hornetsecurity. He is from Eritrea and has been in Germany for only three years. Today we would like to introduce him to you.


Please briefly introduce yourself to us.

My name is Tsigab, I’m 26 years old and I’m living in Germany for three years now. I’m originally from Eritrea, which lies north of Ethiopia. In April I started working at Hornetsecurity as an intern and now I am an apprentice here.


Why did you applied to Hornetsecurity?

I have been interested in the job description of an IT-specialist for a while now and was able to gain some experience in my three years in Germany. I came across Hornetsecurity at the employment agency and applied directly for the advertised position.


What does your work routine look like?

At the moment I’m working in the area Service Operations, where I independently create spam rules for our spam filter service. I make sure that spam emails are recognized by our filters and treated as such. In addition, I get a good insight into other tasks that come up here at Hornetsecurity. Right now I’m being introduced to the Linux-administration and Bash Script.

You already mentioned it: What have you done before your internship at Hornetsecurity?

It is five years since I first worked in the IT field. Next to repairing computers I also made simple configurations of web servers and networks. From these previous experiences I benefit now. Now I want to improve my expertise and with Hornetsecurity I’ve found the right partner for that.


What do you do outside of the Hornetsecurity offices?

I like spending time with my friends in the garden. We love to care for plants and plant something new. To see how a small seed grows to a beautiful plant is triggering a positive feeling. After the gardening comes of course the pleasure. We relax and look proudly at our work. I always take my laptop computer with me because we occasionally like to play videogames. Furthermore, I like reading books and listening to music. If the weather is nice, I like taking a walk in Hanover to become familiar with my surroundings.


What is your decisive argument for going to work with pleasure?

Clearly my colleagues, who integrated me kindly into the team right from the start. I can always rely on their helpfulness. So I felt comfortable right from the beginning. The work at Hornetsecurity comes right after that. I really enjoy my work, which is very versatile because of the insights into the different departments.


You have been in Germany for three years. What are your plans for the next three years?

Firstly I want to continue my apprenticeship at Hornetsecurity and, of course, finish it successfully. Then it is my wish that I can continue my career at Hornetsecurity as a permanent employee.