TR-77 - Spear phishing and voice call scams targeting corporate executives and their accounting department

TR-77 - Spear phishing and voice call scams targeting corporate executives and their accounting department

Back to Publications and Presentations

  1. Sample Case
  2. Recommendations
  3. Recommendations if you were victim
  4. Classification of this document
  5. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

This is an on-going voice call scam campaign which is targeting large companies and SMEs, and more specifically the financial/accounting departments of these companies. This scam has been on the rise in Luxembourg over the past days (late August 2023).

Sample Case

Below, you will find a sample phone call in English but can be also in French:

My name is 'Maître Guérin'. I am a lawyer from KPMG. I like to inform you about a pending invoice.

The president will send you an email to confirm the importance and confidentiality of the situation.

Than usually short time later the victim will receive a fake email like this impersonating the president/executive and spoofing a CSSF (or other regulator) with a similar email address.

Below, here is a sample email received by some targets:

Subject: Kpmg

Maître Guérin vient de m'informer de la prise de contact.
Voici le dossier en cours :
Je mène actuellement en collaboration avec le cabinet d'avocats KPMG qui se situe en France une opération financière visant le rachat d'une société qui est sur le point d'être finalisée.
A ce stade, cette opération doit rester strictement confidentielle et nous ne devons en aucun cas en discuter en ce moment dans l'entreprise, que ce soit par téléphone ou de vive voix.
J'ai moi-même signé une clause de confidentialité auprès de La Commission de Surveillance du Secteur Financier (CSSF) qui nous impose à respecter cette procédure.
L'annonce publique officielle de cette acquisition aura lieu en date du 05/09/2023.
Merci d'effectuer le règlement de la facture et d'envoyer la preuve d'exécution à Maître Guérin pour qu'il puisse délivrer l'acte de l'acquisition auprès du notaire.
Par mesure de sécurité pour ce dossier, nous ne communiquerons pas via ma boîte mail professionnelle, mais uniquement sur l'adresse mail sécurisée qui m'a été attribuée par la CSSF (<attacker>.cssf@gmx.com).

Recommendations

  • Do regular security awareness trainings to your personal and ensure they know about such kind of attacks.
  • Ensure that the accounting department is well aware of all the verification procedures for wire transfers, especially international transfers. Verify the digital signature procedures of wire transfers.
  • Increase level of control when new bank details are recorded.
  • Verify source email addresses and reply-to addresses.
  • In case of doubt or suspicious emails, employee should contact their IT security staff or CIRCL.
  • Transfer such email (including email headers) or phone details (including spoofed phone numbers) to your IT security staff or CIRCL.

Recommendations if you were victim

  • Contact immediately the bank of your organisation and the destination bank to block the fraudulent wire transfer.
  • File a complaint with the local police or the “service de police judiciaire”.
  • Contact CIRCL if you need technical support or advice related to IT security incidents.

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 30th August 2023