In short no, they are not the same, but a lot of people refer to them as if they are
To explain in more detail, we hate to tell you this but, there are more options! 🤦♂️
We like to explain the differences with FOUR options:
Business Email Compromise (BEC)
CEO fraud
CEO impersonation
Response-based phishing
Let’s break it down
1. Business Email Compromise
is where a real email account has been compromised and is being used for nefarious purposes. The compromise is usually achieved by phishing e.g. an email stating the user needs to login to their account for some reason, and the credentials are intercepted
The attacker then has access to the email account and will use it to send emails as the user
Now that the attacker has control of the email account, they will also set up rules to hide their actions from the real email user, so:
Sent emails will have a rule to delete the email after sending, or move them to somewhere “hidden” (a new folder or the archive folder for example)
Replies to emails will be moved, again to somewhere “hidden” (a new folder or the archive folder for example)
The two most common resulting actions are:
Financial fraud
Delivering malware (usually ransomware)
The above is not a simple exercise so a frequently used, more basic, attempt at extortion is:
3. CEO impersonation
is where an attacker pretends to be the CEO (or other person in authority) but does not have actual control of the CEO email account
The attacker will send an email from either a newly created domain that is close in name to the target company (requires work, this type of attack is usually carried by the more lazy type of criminal) or more usually a freemail account (frequently gmail) trying to spoof the sender
If our imaginary target company is “example . com” and our imaginary CEO’s name is “Important Person” then they might look like this:
From: Important Person <important.person@exarnple . com> Note the use of r + n to replace m in example . com
From: Important Person <ahan2346bht@gmail . com> Note that the gmail address doesn’t relate in any way to either the sender or the real company domain
Bonus! 🤣 Additional obfuscation (and we’ve used this one ourselves 🤣) is to add the real email address to the display name which psychologically re-enforces to the recipient that it is genuine, like so:
From: Important Person [important.person@example . com] <important.person@exarnple . com>
From: Important Person [important.person@example . com] <ahan2346bht@gmail . com>
This works particularly well if the recipient’s email client doesn’t display the actual email address by default. They all CAN, make sure yours does
This type of phish is most often used in combination with the next option
4. Response-based phishing
is where the attacker uses CEO Impersonation as above and will send a seemingly harmless email along the lines of “I need you to do something for me” or “Are you available”
These are hard for security systems to flag as it’s just text. No attachments, no links. The purpose is to generate a response and then the attacker knows they have the victim “on the hook”
Frequently used lures would be such as these:
“I’m just going into a meeting” / “I’m at a conference” / I’m just boarding a plane”. These are trying to prevent the victim from perhaps phoning the real CEO
followed by:
“Are you available?” / “I need you to do something for me” / and we’ve seen many times the slightly non-native English “Are you on seat?” 🤦♂️
In order to minimise the chance of a security system spotting these, the attacker will often try to get the victim off the corporate systems by switching platforms and including:
“Send me your WhatsApp number”
Once "on the hook" this type of attack is often used to try and get the victim to purchase Gift Cards "for a client"
Lastly (we’re sure you noticed it was missing): 🤣
2. CEO fraud
This might be plain old embezzlement 🤣 but in the context of email it might refer to any or all of the above
That’s why we don’t think it’s a particularly useful terminology
The best way to prevent any of these attacks from happening is Security Awareness Training for all staff
Contact us if you need help in this area
Comments