Corporate email spoofing is the new fraud haunting biz groups

A new type of cyber fraud – complete email spoofing – is haunting top corporates in Mumbai.

While the cyber crime police station (CCPS) of Mumbai police has so far registered two cases, more than a dozen corporate houses, including MNCs and a chain of fitness centre firm, have approached them with similar cases. Typically, in such type of fraud, the fraudster spoofs the exact email ID of director or managing director of the company and sends email to chief finance officer, asking them to immediately deposit money in a bank account given in the email.

Explaining the modus operandi, a CCPS officer told dna that the chief finance officer of a company typically gets an email from the managing director asking the CFO that how soon can he forward money through RTGS or NEFT? "The email will also have an account number. The unsuspecting CFO then transfers the money into that account, without realising that it was a fraud email."

Asked how prospective victims can identify a spoofed email, the officer said, "Only after going through the full-header or logs of the suspected email address, it can be revealed that the email was a spoof or not. In most of the cases which has been received by us, while the spoofed email was of different managing directors and directors of companies, the full-header analysis revealed that they were sent from one exec.m@exces.com. Earlier the cyber-fraudster used to make small alterations while spoofing an email ID, but now they are spoofing complete corporate email ID of top bosses and send them to the finance officers. We suspect one person is involved in all these cases and is operating from abroad."

One of the two organisations that fell prey to the email spoofing fraud recently is a bilateral trade facilitation chamber, operating out of Cuffe Parade. "The director of Finance & Administration of the organisation had received an email on June 8, which was a spoof of the director general's email. The finance head transferred Rs 4 lakh in the account mentioned in the email. Another, a Bandra Kurla Complex-based jeweller was duped in a similar fashion for Rs 5 lakh, a couple of later, in June. We suspect that the fraudsters keep eye on the social media profile of the top directors of the company and once they are sure that the directors are not in Mumbai, they then spoof the email and send it to their finance officers. Details of the finance officers are available on the company websites," the officer said.

"Corporate email spoofing is new cyber-crime that has emerged and we have recently registered few cases in this regard and are probing further," said deputy commissioner of police, CCPS, Sachin Patil.

"After these cases were filed, we had received over a dozen such instances wherein email spoofing cases had been received, but the firms got alerted and did not fell prey to it. It seems the cyber fraudster had sent bulk spoofed emails to various organisations and companies and few became their victims."

In one case, the officer said, a finance officer received an email from his MD asking for a Rs 6 lakh deposit. Just in the nick of time, the MD called the finance officer for some other reason, and the fraud came to light.

"In such type of spoofing cases, the email address you see on your screen and what actual address can be different and this is what they (cyber-fraudsters) take advantage of and dupe people. You have to be very cautious if you come across emails asking for making deposits of money in the account. Always get such emails verified," said cyber expert Vijay Mukhi.

Dos & Dont's

1. There has to be open communication between CFO and MD
2. Such emails have to be cross-checked through other modes of communication.
3. Calling up the MD or getting the email analysed by the IT team can be tried out
4. Replies to such emails can be CCied to other email accounts of the MD
5. SOP for payment transfer needs to be scrupulously implemented