Not so friendly ghosts: Email ghosting represents threat to organizations

Managers and supervisors expect that employees will follow instructions. This is such a central part of the employment relationship that it goes without saying. However, employees’ instinctual execution of instructions from supervisors can also jeopardize an organization.

This blog has previously covered cybersecurity threats faced by businesses large and small. One particularly insidious threat comes from what is known as “email ghosting.” An email ghosting attack involves hackers setting up a phony email address that mimic the email address of an employee or manager at an organization. Hackers will then send fraudulent requests for information or money.

Krebs on Security recently reported an incident involving the company AFGlobal Corp. According to court filings, the director of AFGlobal’s accounting department received email from an individual claiming to be the CEO of the company:

This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.

Shortly after receiving this email the director of accounting received a phone call and email from someone purporting to be Mr. Shapiro requesting $480,000. The director of accounting wired the money to the provided bank account located in China.

In another example, Krebs reported on another company whose controller received an email purportedly from the company’s CEO requesting all employee W-2s. Employees at the company had recently completed training on identifying suspicious emails, so they were not fooled by the purported CEO’s request.

In even more sophisticated versions of this kind of attack, hackers will gain access to an organization’s internal email server in order to observe patterns of communication between employees and management. When a manager leaves for a scheduled vacation, the hackers can take advantage of the absence by sending emails to employees requesting sensitive information, or authorizing movement of funds to bank accounts overseas. These attacks depend on employees’ willingness to follow instructions, and weak internal controls to verify the authenticity of a request.

The FBI reported the following statistics from these email ghosting attacks for the period October 2013 through August 2015:

Total U.S. Victims: 7,066
Total U.S. Exposed Dollar Loss: $747,659,840.63
Total Non-U.S. Victims: 1,113
Total Non-U.S. Exposed Dollar Loss: $51,238,118.62
Combined Victims: 8,179
Combined Exposed Dollar Loss: $798,897,959.25

These statistics reflect the increasing volume and risk posed by email ghosting attacks. In many of these cases, stronger internal controls will help employees identify unusual requests. For example, many of these attacks can be defeated by requiring employees to talk to managers before performing certain tasks like transferring money. Organizations should consult with legal counsel about developing policies to identify and prevent these kinds of attacks.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.