Hack Day: Who do you think you are?

Jonathan Swift

Have you ever considered how simple it is for your executives to be impersonated online? Our hacker Swifty reveals how it is done.

Have you heard of executive impersonation fraud? You are just about to because I’ve found a way through your systems to impersonate your chief investment officer.

Why him? Going for CEOs and finance directors is too obvious but some less high profile senior exec but with the authority to authorise some very large transactions that only a few people really understand is a really good target.

The biggest challenge was hacking into your email system but a few careless uses of log-ins and passwords on laptops and tablets gave me all I needed to start.

It’s no good rushing into this type of fraud. I needed to look at the processes, the people involved and the language used. Once into your email system this was easy – just a question of being patient.

I then issued my fraudulent email, which appeared to come from the CIO, instructing a suitably authorised employee to urgently execute a financial transaction.

I said the funds were related to a highly confidential situation around an acquisition, and told the employee to speak with no one in the office regarding the transaction for legal reasons.

I asked a £250,000 fee to be paid to an adviser you have used on large transactions and deals before but through an offshore office to preserve the high degree of confidentiality around the acquisition.

Inevitably, this was queried but after several e-mail exchanges with the ‘CIO’, the employee, who was senior enough to authorise such transactions if requested by one of the senior management team –processed the international transfer to the account number provided in the e-mail.

Of course, my study of the hacked emails from the real CIO meant I could replicate his language and tone in my responses.

The email contained a link to a website carefully put together to look like the recipient’s. This was one of those firms that provides no individual contact details on its website, thus deterring people from picking up the phone or sending an email to a specific individual.

Your bank completed a call back to your employee to confirm the transfer was initiated by yourselves and not an outside party.  By this time, he was completely sold on the idea of being on the inside of a big deal that was top secret so he instantly verified the transaction, confirming it had been initiated by the CIO.

And there it was £250,000 sitting in my account.

Perhaps you should take the advice of a few experts before the next time.

 

What is the aim of Hack Day?

Insurance Age and Aviva believe that understanding cyber threats are mission critical to the success of brokers today. That’s why Insurance Age is hosting a full website takeover!

As part of the day our intrepid content editor Jonathan Swift (Swifty) is delving into the mind of a malicious hacker and highlighting exactly what they can do to damage your business and the business of your clients. He shows how four types of hack work and the impact they can have.

We also have a series of articles from Aviva’s head of SME, commercial insurance who explains how to counter the four types of hack and explains how brokers can protect themselves and their clients.

Throughout the day Insurance Age is also hosting a series of live presentations and panel discussions to highlight the latest thinking around cyber insurance and offer brokers the best insight into this dynamic world.

  • LinkedIn  
  • Save this article
  • Print this page  
blog comments powered by Disqus

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected].

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have an Insurance Age account, please register now.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: