How to turn the tables on fake CEO scammers

Scammers should be just as cautious of PDFs as the rest of us.

Graham Cluley
Graham Cluley
@[email protected]

How to turn the tables on CEO wire transfer scammers

CEO wire transfer scams (also sometimes known as whaling attacks, BEC, or Business Email Compromise) are becoming a big problem.

Scammers, impersonating a CEO or other high-up executive inside a company, send an urgent request to a more junior member of staff, urging them to forward sensitive information or transfer a large amount of money.

The problem is that no-one likes to say “no” to the big boss.

Sign up to our free newsletter.
Security news, advice, and tips.

As a result, some companies have had many millions of dollars stolen from them – recently, for instance, I wrote about a European firm which lost 40 million Euros after it was targeted by an email scammer.

Security consultant Florian Lukavsky decided that it was time to fight back against attacks like this, and told the HITB conference how he created a boobytrapped PDF file, capable of grabbing information from any computer on which it was opened.

The Register takes up the story:

“Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters,” Lukavsky says.

“We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information.”

“We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook.”

The information gathered was shared with police, who later arrested the perpetrators.

Lukavsky recommends that companies put in place a variety of organisational and technical defences to prevent themselves from becoming the victims of BEC.

These include:

  • Raising staff awareness of the threat, and common techniques used by scammers.
  • Defining processes for making legitimate payments.
  • Enforcing strict use of business email addresses for business purposes.
  • Not accepting emails with your domain from foreign mail servers.
  • Fully implementing email authentication, making it harder for criminals to spoof your company’s domain name in the “From” field.
  • Using email signatures / encryption (S/MIME / PGP).
  • Marking external emails in the subject line.
  • Strong authentication for web mail users.

For more information, check out the slides from Lukavsky’s presentation.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

8 comments on “How to turn the tables on fake CEO scammers”

  1. Nathan

    I've used the process of scamming the scammer. I did this when I was contacted by a scammer who was acting as a real estate agency for a property in Mexico. I reverse engineered the process and found discovered that the scammer, who called himself Reverend John Tony, was actually Lillian Hernandez who lived in Yonkers, New York. I was able to get her bank account information and once I did, I called her bank and forwarded them the entire email thread. I also did the same with Yahoo. Rev Tony, a.k.a. Lillian Hernandez vanished like a puff of smoke and I never heard from him/her again. Score one for a potential victim.

  2. Lisa B.

    Hmmm. PDF files to booby trap the scammers. How do we *really* know those PDF files at the end of the article are slides from Lukavsky's presentation?


    All kidding aside, it's wonderful to hear when the scammer gets what he/she deserves.

  3. Gadget37

    The problem with this "Not accepting emails with your domain from foreign mail servers." is that this is precisely how email reflectors work. You work on a collaborative email server with other external companies and your own emails come back to you and your colleagues, sourced from your domain but redistributed. Blocking these causes a problem…

    1. Bob · in reply to Gadget37

      If you use DKIM, DMARC and SPF in conjunction with each other then you won't find your emails blocked.

      It's best practice to configure these but seeing all three configured correctly is rare. It's not difficult and is mainly down to the incompetence of system administrators / lack of knowledge / use of legacy systems.

  4. Peter Freeman

    "Scammers should be just as cautious of PDFs as the rest of us"

    Quite so. Oh look, here's another Graham Cluley article with the title
    "Dell has acquired RSA – download a PDF to read all about it".

    A good thing I trust Graham not to mess with his loyal fans :)

    1. Graham CluleyGraham Cluley · in reply to Peter Freeman


      Did you read what I said in that other article? :)

      1. Peter Freeman · in reply to Graham Cluley

        No, but I have now. Lol, you are exonerated and RSA is in the doghouse :)

  5. Michael G. Crooks

    FYI – The live presentation by Florian Lukavsky, titled 'Fake President Fraud Defrauded', dated September 13, is available on YouTube. It is just over 28 minutes duration:

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.