Local Sheriff’s Office warns of new cyber business scam in our area

The McCracken County Sheriff's Department has recently become aware of a new scam
called CEO Fraud, or Insider Spoofing.  The scam involves a cyber attacker who
obtains as much information as possible about the targeted company.

The attacker would need to obtain information such as the personnel structure of the
company they are targeting.  They'll need to know everything they can learn about
the individual they plan to impersonate.  The scam targets anyone with a senior role
(the boss) who would possess the authority to initiate money payments.  The attacker
would need to know the person's name, email address and their schedule. At the
least, the attacker would need to know the person being impersonated is out of the
office, preferably out of town.  In addition to the boss's information, the attacker
would need to know who in the organization is able to transfer money, such as the
finance officer.

Sometimes the information can be located on the company's website, where they list
their employees, their roles and responsibilities, and contact information.

As for knowing when the boss is out of the office, it can be a little more
difficult.  At times, the attacker can locate the person on social media sites and
monitor their movements; they could also call the organization and be told he/she is
not in the office.

Once the attacker is ready to conduct the attack, they will email the finance
officer, purporting to be the boss, and request they initiate a money transfer to
the attacker's bank account.  Sometimes the attacker will spoof the boss's email,
which means they modify the email, so the "From:" field contains the boss's genuine
email address.  At times, the attackers will have the boss email them, so they can
duplicate the look of his/her email.

When the attack is initiated, the attacker will do it hoping the finance officer
feels pressured to send the transfer immediately, without verifying through the
targeted boss.

If an employee receives an email asking them to transfer funds, it would be
advisable to verbally verify the transfer through the person believed to be sending
the email.