Trojan Emotet

Business Email Compromise – CEO Fraud

The term CEO Fraud or CEO Fraud leaves much room for interpretation and unfortunately often gives the wrong impression. In various articles, as well as in a report of the Federal Criminal Police Office, it is urgently warned that attackers regularly use the tactic of pretending to be CEOs and demand strict silence. Unfortunately only half the truth is shown here and the majority of the tactics are not mentioned.

This method is also known as Business Email Compromise (BES) and is a sophisticated type of fraud that targets both businesses and individuals to transfer money from victims’ bank accounts to criminals.

According to the FBI’s 2019 Internet Crime Report, BEC’s total annual losses in the US alone amounted to $1.7 billion. BEC fraud also accounted for half of all cyber crime losses in the U.S. in 2019, making BEC the biggest cyber threat in terms of economic damage. Insurance giant AIG confirmed this, reporting that BEC was the main reason for companies filing insurance claims against cybercrime in 2018, followed by ransomware and data breaches.

Over the years, these attacks have increased in sophistication, mainly in the field of social engineering. Instead of addressing companies directly, attacks are now directed at customers, human resources departments, suppliers, associated accountants, law firms and even tax authorities. In addition to directly generating or redirecting currency transactions, BEC attacks have been used to fraudulently purchase gift cards, redirect tax returns and even transfer millions of dollars worth of hardware and equipment to the control of cybercriminals.

In very many cases, as even the FBIitself mentions, the attackers use an e-mail address that at first glance is almost identical to the company address. In fact, I became a victim of such a hacker attack after I received an email from a VC employee that contained … instead of Please note that the small “o” (letter) in founders has been replaced by a “0” (number). In the course of this article the domain was changed to protect the identity of the employees.

In this case everything turned out relatively without any harm. Unfortunately, however, there are more and more cases of fraud, which have led to great financial losses. One of the investors of difacturo was faced with such a situation.

The addressed investor makes regularly real estate business in Spain, with which real estates are bought, reconditioned and resold. All legal documents, such as contracts and invoices, are handled by a regional notary in Spain. In this specific case, an invoice of over 200,000 euros was sent by the notary by email, which was verifiably paid (via bank statement) by the investor. After two weeks he receives the message that the invoice sent by the notary has not yet been paid – fraud alert. In the course of the police report and forensic work of the officers, it quickly became clear that the notary’s computer had been infected by a Trojan named Emotet (, which preferentially attacks and infects Office 365 and whose mail server has been manipulated. The notary sent out a correct invoice with the correct bank data, and the Trojan Emotet intercepted the corresponding email, manipulated the PDF by changing the IBAN and sent the adapted email to the recipient.

Since the fraud only became apparent after two weeks, only part of the amount could be recovered.

The reality is, companies invest a lot of money to protect their trade secrets by using firewalls, various hardware and software. By definition, trade secrets are only trade secrets if they are protected accordingly. If there is no appropriate protection and trade secrets are stolen, the responsible person (GF or CEO) acts negligently. If companies are hacked, this must even be reported.

With the OpenSource software of difacturo the negligence, with which trade secrets such as customers, suppliers prices, conditions are written as invoice into a publicly observable system, is to be put an end. We make it possible for the first time that all participants of an invoicing process work with one and the same document, with the result that there is no possibility for incorrect entries or manipulation. Would you like more information on how you can use difacturo to prevent such fraud? Sign up for our monthly newsletter and receive regular relevant updates on e-invoicing, cybersecurity (including SSI) and data protection.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Leave a Reply

Your email address will not be published. Required fields are marked *