Members of a CERN board were recently targeted by so-called “CEO fraud”, following the same format as the incident that occurred at the end of 2020. CEO fraud is a social engineering method to extract money from a company, playing on several psychological techniques to prevent people thinking consciously:
- Fear, guilt and shame, i.e. making a threat against you or your family (“I know what you did last summer and will tell your family if you don’t…”). Under that pressure, you will just comply as you fear adverse consequences if you don’t.
- Flattery, i.e. luring your ego, pride or complacency (and narcissism?) into complying.
- Seniority and respect, i.e. you blindly obey because you are instructed by someone much more senior than you, whereas you are just a little cog in the machine.
- Help, i.e. pretending to be in a difficult/delicate situation and requiring immediate assistance.
Like in 2020, this “new” fraud played the “help” card against the Board by abusing the name of its president and spoofing his email address (see our Bulletin article on “Emails equal Letters”). It all happened on 8 December, when several people in this CERN board received the following message, purportedly from the president:
A nice intro. Adopting a colloquial tone towards the recipient and then introducing the need for assistance with a difficult situation. Playing the “help” card. The “From” address was spoofed to look like the alleged sender’s home institute. The “Reply to” address was also tampered with and points elsewhere – to a Gmail address.
At this point, vigilance is required. If in doubt, check with us at Computer.Security@cern.ch. Maybe it’s a known malicious scheme. Maybe others already reported it. In this case, however, some people replied:
The bait taken, a conversation is established. Time to strike:
Fortunately, the recipient now gets suspicious and contacts Computer.Security@cern.ch. Well done!
If in doubt, it’s essential to establish a second line of communication that is less likely to be tampered with, like a phone call. Proof of identity can be sought by calling the real person’s previously shared contact number, seeing if you recognise the other person’s voice or entering into a colloquial conversation that would be hard to spoof or tamper. One of the recipients does just this:
… and the attacker tries to dodge the request:
Back to the subject. But too late, as this creates even more suspicion. And we receive another report. Well done, again! Game over for the attacker.
Reporting the scam to Computer.Security@cern.ch enabled CERN to:
- block similar emails from entering CERN mailboxes, and block the attacker’s email address;
- identify other people who had received the scam and warn them (like the Board’s Secretariat did – thank you very much!!!);
- ensure that the attacker’s IBAN was flagged and blocked from being used at CERN.
This is why vigilance and suspicion are helpful. While you might (and should) be a nice, empathetic and helpful person, don’t be taken advantage of. In particular, don’t fall for such “CEO fraud” attempts. Similarly, don’t let yourself be impressed (or intimidated!) by seniority. By CEO power. By a strong voice. Don’t let yourself be ashamed, harassed or intimidated by emails trying to create fear, guilt or shame. These are usually scams, too. Instead, if you have any doubts, involve your hierarchy, the CERN Internal Audit service or Computer.Security@cern.ch. They’re there to support and help you! By acting swiftly, you can help protect CERN when other means fail. It’s better to ask than to be sorry.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.