CEO or Business Email Compromise fraud is a billion dollar business. Learn about the psychology used to trick people into paying millions of dollars to fraudsters using simple text emails.
Imagine you live in a country where the average salary is €520. Your rent in an affordable neighborhood with water, heating, internet, and electricity is about €300, food €124. Transport is about €20 a month.
€444 just to cover the basics. Beer is about €1.29, some days you really need it.
Unemployment is at 10%. Internet connectivity is good and you have a fiber connection to your home. Everybody need’s need money. You find some advice on how to get some fast easy cash.
You find a way of making some money by getting companies to pay a sum of money into your bank account by sending “invoice” emails.
To make it look more realistic you register a company with the same name as the “customer’s” Taiwanese manufacturer. You register a domain name which is similar to Quanta Computer in Taiwan.
You create fake invoices and send them into the vendor management team. So sorry we have changed bank accounts due to internal restructuring and now using subsidiary companies in Europe to take payments for tax reasons.
The first payments come in. Boom!. You send the second invoice to a second “customer” and as easy as pie the money flies into your business bank accounts. You set up bank accounts in other Eastern European countries, Hong Kong and Cyprus. A Cypriot financial advisor opens a bank account for you and as easy as that you are now an investor!
3 years later the company is closed down. 5 years later you are handed over to the United States authorities for US court appearance and extended jail time.
Business Email Compromise (BEC) fraud also known as CEO email fraud has been in the news a lot recently. This is due to the amount of deceptive email fraud and the various forms it comes in.
Majority of the advice is about awareness training and preventative measures to block fake emails imitating companies like Paypal, Bank of America or even executives or managers. This works most of the time but only partially protects against fake external emails. Until better preventative technology is in place companies and individuals will carry on facing losses in the excess of billions of dollars worldwide.
In this case, a supplier was impersonated which matched the actual supplier used by both Google and Facebook.
The question that puzzled me was “Why does BEC email fraud work so well?”
This question came about after delving deeply into cognitive and persuasive psychology to understand why I made the mistakes I did. My purpose was to figure out my own faults, quirks, quarks, and peculiarities.
During this path of self-discovery, I had eye-opening revelations into human behavior. I finally came upon the answer why email fraud and phishing works so well.
It was like Adam and Eve eating the fruit from the tree of knowledge of good and evil. It allowed me a deeper understanding into myself and this lead to answering the question.
To answer this question in detail needs explanation of a number of concepts including how the brain functions. This is in part a lesson in cognitive psychology which will explain the persuasive psychology.
Once the fundamentals of the cognitive and psychological functions are revealed. How it ties into a billion dollar email fraud will become apparent as it did for me.
To better understand how the various aspects of email deception work we need to understand how the brain functions. Quite simply the brain is trying to process as much information as fast as possible and this leads to a number of shortcuts it uses to cope with the amount of information it receives.
One of the main methods it uses is pattern matching to identify similar types of information. It then groups or chunks this information together. This is a core component in learning.
Information is grouped or chunked together eg, animals, plants, structures, clothing, equipment, emotions, words. Each one of these is made up of smaller chunks. Animals contain fish, mammals, birds, and reptiles. These sub-groups relate back to the original group of information. The brain can develop relationships out of these information structures which is how learning and understanding happens.
The brain is very adept at updating the classification of chunked information on an ongoing basis. For understanding, the brain creates context around the information to recall it easier. To make encoding and retrieval of information easier the brain adds emotional content to a memory. Additionally, it uses a hierarchical structure to classify the importance of information. This can be applied to people, organizations or experiences.
A call from your mother, father or partner has a higher importance than a random person. Although the novelty of a random person will be easier to remember when it is out of the ordinary. The same thing for a family member, if they call out of a normal identified pattern it means something either good or bad has happened.
Novelty also triggers dopamine which is a feel-good hormone and depending on the association with the person is either good or bad. A boss calling or emailing out of the blue asking for assistance means it is unusual which stands out, queue novelty and dopamine. This triggers other associated memories related to the person or situation.
Why would he/she call/email you and ask for assistance? This makes you feel important and boosts self-esteem or can trigger fight or flight response and fear in case something is wrong.
How does pattern recognition work in this regard?
The brain quickly identifies the importance of the person in relation to you as the organizational hierarchical structure has been imprinted on you. You know the name and role of the CEO/CFO contacting you. Your brain is aware of this based on previous hierarchical patterns in comparison to family, school or social structures. Job titles are also easily identified based on previous knowledge.
Because of the position of the person in the company, you will automatically be more inclined to follow up on a request and defer to that person's instructions because of previous experience of compliance to authority figures.
To make processing information faster the brain will go through stages. First, it will take its time learning, structuring, and processing information. When knowledge is new thinking is very slow, methodical and analytical. This is part of the conscious analytical processing of information.
Remember learning how to drive? When you first start out it is difficult and takes a lot of concentration to manage acceleration, braking, spatial awareness, vehicle control and following the rules of the road. As you gain more knowledge, experience, and proficiency the processing becomes automated and easier.
How often have you driven home from work and not remember a thing of the journey? It followed a known pattern of experience with no novelty. When a driver suddenly cuts in front of you this is out of the ordinary. It stands out due to novelty and when it interferes with what your expectation or desire there is the potential for road rage.
There are 2 thinking processes. The first is conscious or explicit thinking which is slow, methodical, analytical thinking. One of the functions of explicit thinking is to monitor for changes which stand out.
In the road rage scenario, this triggered attention as it stood out as something out of the ordinary which needed attention. The road rage incident needed specific attention. It required analytical manual processing on top of the more subconscious automated driving processes.
The tricky bit is the unknown wildcard which drives a lot of human thought processes and behaviors.
Emotions, they are tightly integrated into your thinking and this is to help encode information faster and speeds up recall. Emotions can also override analytical thought processes and can be the cause of errors in the case of road rage.
The second process is implicit thinking. Implicit thinking is automated thoughts, habits and management of body functions which include breathing, heartbeat, and digestion. Once skills have been developed it goes from the more methodical, slow, analytical thought processes into more automated subconscious processes.
There are a number of reasons for this, the main one is energy conservation. To reduce energy consumption the brain has to speed up processing and this is where the cognitive shortcuts come into play. The most obvious shortcut is a term which many are aware of which is jumping to conclusions. This is technically known as a cognitive bias.
Jumping to conclusion is when the brain takes available information and draws a conclusion based on experience, other pieces of information whether directly associated or indirectly associated or even completely unrelated information.
In the case of road rage, the driver which cut in front of you is immediately seen as reckless, rude and dangerous and thus is worthy of your righteous anger. When you actually look at the situation the other driver could have missed seeing you as you were in his blind spot and when he made his mistake was not aware that he cut in front of you.
In the case of email fraud, a number of biases and cognitive functions are used against you and some of them are as follows;
- Cognitive ease
- Task switching (multi-tasking)
- Pattern matching
- Confirmation bias
Each one of these can be discussed in detail at a later stage. For now, we will concentrate on the overall email fraud process using these identified processes.
How much psychology and social engineering can be packed into a simple text email?
Think of an onion, when you start cutting and peeling it. Apart from making you cry you have layers and layers of teary oniony deliciousness which everyone is well aware of. A simple text email can have the same levels of complexity and can, in the end, leave you in tears if you fall for it. Let's start peeling this psychological onion to see how far this goes.
The first step is to identify the psychological processes that are being manipulated. Start with an initial list;
- Desire to help
- Fear of loss
- First and social impressions
- Commitment & consistency
- The first onion layer is authority.
This is the most popular method of manipulation and is why this is known as CEO fraud. A large number of emails are sent as if from a CEO or CFO to internal staff to trick them into responding. The purpose is to use the authority status of a C level executive to get somebody to comply. By using the CEO people automatically trust what is being requested and this allows the scammer to override any objections or questions the person has. It creates doubt and a level of fear as any challenge could put you at risk?
Surely the CEO is responsible and knows what they are talking about? The request is unusual but it’s the CEO, right? You can’t challenge them?! If you do you could lose your job and you can also face scrutiny. This fear trigger has the biggest impact due to the brain’s design. It allows a direct pathway to the amygdala and is part of the fight or flight response. Triggering this allows it to override all analytical processing enabling survival modes. It is well documented that the emotions can easily override rationale.
2. Urgency is closely coupled with fear of loss as it forces the mind to focus on the immediate requirement. Fear of loss is a strong driver for action as people are more inclined to act on that than potential gain.
Pain is the biggest driver and in the case of these emails, it can be a loss of business or in the case of the personal loss due to a mistake of inaction or even potentially being fired for not complying with the CEO demand. When this becomes “important” to act on now because it’s for an urgent business deal or for buying an external company it all stacks up the psychological pressure.
3. Hierarchy is a subtle aspect to this as it isn’t obvious but this is part of the brain’s associative thought process. The email sent from a C level executive is done deliberately. You have been taught to respect authority and people higher up in the social or corporate structure. The brain uses this to allow it to prioritize who it will see as more important and why you should help the person.
It uses the hierarchy structure to attribute priority for requests. If it comes from a co-worker you will do it as it is reciprocal and you want to be seen as a good person as they will help you back. In the case of a manager or higher up, you will do it because you will be seen as cooperative, useful and trustworthy which can help you scale the corporate world for advancement in the future.
3. Reciprocation is implied that you will be seen as very helpful. The implication that you are doing a good job means you will have goodwill returned because of the help.
4. People by nature want to help it is part of the social DNA and helps with developing good social bonds. It is also a requirement to help corporate systems to work. These requests are always phrased in a way to request help.
Our jobs are to help other people or to make systems work. In many ways processes allow systems to work seamlessly and repeatedly. Assistance requests are most often done to create a workaround for a process, or to intervene. All BEC email fraud requests are done to change an existing process. Sometimes they will use an existing process to manipulate it but only if a weakness is found in the process which allows it to be exploited.
5. First and social impressions are subtle additions like hierarchy. To make a good first impression is to put your “best foot forward”. This shows you off in a positive light and proves you are useful to the company and the people you work with. If you have never had dealings with a C level executive and you suddenly get a request for assistance your main consideration is to prove your value and helpfulness.
Being helpful, expedient and efficient means you are presented positively and will help you in the long run. When you do your job well for a person who is higher up in the social and hierarchical scale you feel good and know it will benefit you.
6. Compliance is tied to assistance, hierarchy and authority figures. We are trained from a young age to respect our elders, parents and to show deference to authority figures. By being helpful and friendly benefits normal social situations but in this case it is used for exploiting an individual or company.
7. Commitment and consistency in behavior come into play when a person agrees to help. The first step in this is responding to an email to see what you can do. Once the response commitment is made it is very unlikely that a person will back out as they have made a written or in the case of a telephone call a verbal agreement to comply with a request. Once you have agreed to help you want to be seen as a good person and will carry on helping sometimes even when you realize something is not quite right.
An extreme example of consistency behavior is abusive relationships. People know they are in a bad situation but once you are in that situation they don’t want to be seen as a bad person by not saying they love that person or change what they say they promise to do.
This is an important phase of any phishing or whaling attack. Intelligence is what allows a generic email to become specific with trivial pieces of information. Due to the amount of data loss over the last 2–3 years the available information with which to target companies with is significant. Thanks to Facebook, Twitter, LinkedIn and a host of other social media sites you can glean any information from any person quickly and easily to make an email more targeted.
On top of that, the recent data breach by companies like Apollo has allowed for even more accurate corporate data to be used against companies. I have verified some of the data and based on what I have seen the accuracy was astounding. With a known data source like that plus the accuracy of social media, it makes for highly targeted attacks.
It doesn’t take long to use LinkedIn to build out corporate structure and roles within companies. You can also purchase highly accurate current corporate roles with email addresses for a nominal fee.
Once you have that you can use other websites to confirm email addresses and validate personal information courtesy of Facebook. Do a bit of reading on any shared information on these sites and it doesn’t take long to allow for targeting to be highly accurate.
For phishing attacks to be successful means you have to use the weaknesses in email systems and email clients like Outlook to make your life easier. Luckily it doesn’t take much to do this. The brain also helps to trick you in this case.
The best way to make an email look slightly acceptable is through misdirection and misrepresentation. To make an email appear from another person spoofing is used. Spoofing is where you change the presentation of the email to be from someone like the CEO. You can do this through a number of ways.
By spoofing you do the virtual magicians sleight of hand trick by keeping the person focused on the CEO’s name and not the email address. Once a person is fixated on the name then half of the battle is won. By focusing on the name it allows for pattern matching and confirmation bias to come into play.
Confirmation bias is where you look for information which supports what you know. Your focus is solely on the recognized name and you can easily ignore other signs that it isn’t true or partially correct. This is due to cognitive ease and pattern recognition.
The brain recognizes the name and quickly accepts that as correct because the first part matches the pattern of the CEO’s name. You get a quick dopamine reward for recognizing the name and continue on ignoring that the email address is from a Gmail or a random email account or sometimes even from a lookalike domain.
Email client faults hide the actual email address to make it easier to recognize who it is from. Unless you highlight the email address or look into the hidden header information to check the validity you accept it as given that this is true. Emails can be formatted with John Doe <johndoe.ceo@gmail dot com>, all you will see is John Doe who is your supposed CEO.
The subject can be anything which will capture attention and will include statements of important, payment, invoice etc. The tone can be conversational to formal and brief.
Majority of BEC fraud emails will get through spam control because they contain no links or viral attachments. The emails are normal text emails and most phishing protection systems don’t identify them as a threat. There are controls which are improving in detecting the structure of the email content but they do get through when they are correctly formatted.
The body of the email is where it the magic happens. This is where the content allows for the psychological manipulation to work. It does require the pretext preparation phase of name misrepresentation with the email from John Doe your CEO.
The body contains two formats of emails. A long form and short form. This is the long form format:
The short form follows this format;
There is a slight variation where the short form is used when misrepresenting managers to finance staff for changing bank details. The process is the same with the overall purpose of immediate action and no questions asked.
Short form emails are specifically structured with brevity in mind to indicate a busy person. Additional variations where requests are made saying the CEO is in a meeting and cannot take calls but to reply with an immediate email.
The email content structure is designed to manipulate and trigger a response. The brain can't ignore a question and triggers a mental reflex known as instinctive elaboration. The question takes over the brain’s thought process. When you focus on the question all other demands are ignored.
The signature contains “Sent from iPhone”. This is due to the higher perceived value of Apple products and these devices are most often used by C level executives. The fact that the CEO is busy and sending it from their iPhone means it has to be important and accepted that they can “bend the rules” using their own devices.
The following statistics are from Agari based on a 2018 report published to show the effectiveness of these campaigns.
- Last less than 3 days
- 82% Use display name deception
- 10x More successful when email is responded to
- 24% Of all email scams are BEC email scams
- $35,500 Average value
- Most successful attack
The financial impact on organizations is immense. In some cases, the same organization like Google and Facebook can be targeted repeatedly especially with invoice fraud. In the case of BEC CEO fraud, they can be large one-off payments. The following organizations have suffered multi-million dollar losses;
$100 m — Google & Facebook (2013–2015)
€43 m — FACC Austrian aircraft parts manufacturer for Boeing and Airbus. CEO and CFO got fired.
$9.5 m — MacEwan University Canada
$75 m — Crelan Bank Belgium
$3 m — Mattel toys — Loss prevented by Chinese police and due to a Chinese bank holiday
$1m — Save the Children Foundation
These only cover some of the reported $12 billion in losses to date. It doesn’t touch on the losses suffered by individuals which are being targeted through romance fraud or real estate transactions fraud when solicitors email accounts have been compromised. I also haven’t had time to discuss 3rd party compromise which makes spotting this even more difficult.
What can you do?
- Improve technical spam controls to detect emails using this format.
2. Highlight external emails by tagging them with External to make them stand out to prevent spoofing.
3. Configure email security to reduce spoofing and authorize senders which will be SPF, DKIM, and DMARC. These will reduce some of the emails getting through.
4. Develop strong payment processes with multiple verification steps.
5. Payment authorizers with different staff being able to authorize different payment levels.
6. Separate duties of request processors and bank payment staff.
7. For small companies, process the request over multiple days to allow for checks of validity to prevent mistakes.
8. Use checklists to validate all actions.
9. Confirm requestor details match file records.
10. Confirm recipient bank account details match what is in the request.
11. Never process email or even telephone requests.
12. Allow staff to challenge any unusual payment even from the CEO or managers.
These are some of the steps you can take to reduce the risk of fraud. The last piece of advice is to take your time! Businesses will understand and work with delays, fraudsters will always rely on speed and mistakes for their own gain.
Trust but verify your job could be on the line. I have included a quick checklist which you can download and use. For updates please email me as per the instructions.