Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Fraud email masquerading as an email sent by executive

    • Updated:
    • 19 Mar 2021
    • Product/Version:
    • Email Reputation Services All
    • Platform:
    • N/A
Summary

Trend Micro recently observed a wave of targeted scam attacks that starts with an email which appears to be sent from a particular company's executive(s) to people of influence within their organization (e.g. finance managers). Unlike common email fraud or phishing tricks, these forged emails do not contain attachments or URLs, but instead employ a modified "Reply-To" header that changes the return path to an attacker's mailbox and is not easily detected without observing the detailed header information.

Details
Public

Detecting Fraud Emails

Based on some data from Trend Micro's Smart Protection Network, there have been at least 40 companies that appear to have been targeted in this manner in a month alone.

Fraud email sent by executive

Below are some hints of the fraud email:

  • "From" and "To" use the same domain to make it look like an internal email (e.g. CompanyX.com to CompanyX.com).
  • Domain in the "From" and "Reply-To" fields are not the same (e.g. From: CompanyX.com and Reply-To: external domain like gmail.com).
  • If there is a user agent listed in the mail header, Workspace Webmail or Roundcube Webmail have been observed to be used in several of these emails.
  • The overall content size of the email is small.
  • The content often contains certain words such as "wire" or "transfer".
  • "Reply-to" field often has keywords such as "executive", "ceo", or "chief".

The Trend Micro Email Reputation Services (ERS) team has released patterns to detect this kind of attack for global customers.

Recommendations

  • Always double-check the reply-to address for important email and make sure the recipient is who you expect it to be when you reply to the email.
  • Pay attention to any inconsistencies between mail from and reply-to addresses, especially taking notice of any mutated domains (e.g. trendrmicro instead of trendmicro).
  • Always report any undetected samples as soon as possible to Trend Micro. See Submitting spam samples.

Here is a sample of forged email:

forged email

When replying to the email, the recipient email address is changed to attacker's email address:

Changed email address

Premium
Internal
Partner
Rating:
Category:
SPEC
Solution Id:
1112853
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.