Week 25 in review

29.06.2021 - The NCSC received an average number of reports last week. Notable reports include those of CEO fraud, where the CEO's email account was most likely actually hacked, as well as reports of phishing emails that subsequently turned out to be legitimate.

CEO fraud – sometimes a hacked email account is used

CEO fraud usually involves sending a fraudulent email to a company's finance department, supposedly in the name of the boss, and demanding an urgent payment. The information the attackers use to do this comes from the team websites of the victim companies, for example, which list information about their employees' roles and names. The NCSC reported on this in weekly review 20. Usually, the boss's email address is only faked in this type of fraud. Although it looks as if the email originates from the head's account, a closer look shows that the fraudster's email address is hidden behind it. Any reply from the victim is thus sent to the scammer's address.

Last week, however, two cases were reported to the NCSC in which it is suspected that the fraudsters were actually able to hack into the boss's email account. It appears that the victims of the affected companies communicated with their boss's real email address. Clarifications are still under way to determine whether the attackers actually had access to the account or instead managed to install a forwarding rule that automatically forwards all emails addressed to the boss to the fraudsters.

In the event of CEO fraud, also check the affected email accounts for third-party forwarding rules and change the password as a preventive measure.

This is a phishing email – or is it?

The NCSC received reports of the following email: "Hello, you need to re-register on our portal by the end of June!". Clicking on the link in the email opens a website which has no connection with the company mentioned. There, the old password has to be entered in order to register again. At first glance, the case seemed clear to those who reported it: it was a classic phishing attempt. But this was not the case.

In fact, the email did indeed come from the company and the request to re-register was genuine. A change of payment service provider made it necessary to send these emails.

To ensure that such emails are not identified as phishing emails, there are a few things companies should bear in mind:

Send emails in text format, if possible.
Use links sparingly in emails; only link to your own domain and write out the links (https://www.ncsc.ch).
Do not link directly to websites that ask for usernames and passwords or other data.
Indicate the procedure on your website's homepage so that the recipient has the option to enter the company's main address manually and then access the information page from there.
Address customers by their first name and surname, if this information is available.

In another case reported to the NCSC last week, customers received an email from a company claiming that they were entitled to a surprise. After clicking on the link, they could choose from various gifts – including a mobile phone. To secure the gift, the customers were directed to a registration page where they had to enter their customer login name and password. Here, too, attentive internet users immediately suspected a scam. But again, this was not a case of phishing and the email actually came from the company indicated.

There are simple rules to make it as easy as possible for internet users to recognise phishing emails. One of the most important rules of conduct is:

No company will ever ask for a password via email, phone, text message or social media.
Never enter personal data on a form that you have opened via a link in an email.

The cases mentioned unsettle internet users and adversely affect their awareness. The NCSC therefore recommends that all companies follow the above rules.

Finally, it is important to mention that all those who reported these two emails to the NCSC were absolutely right to do so. It is better to be overcautious than not cautious enough. If in doubt, you can ask the company or the NCSC directly.