CEO Fraud

Every now and then, an email arri­ves at my com­pa­ny mailserver.

From: surname_big_boss lastname_big_boss <attacker@example.com>
To: surname_victim lastname_victim <victim@mycompany.com>

It is always the same: the atta­cker asks for the victim’s mobi­le num­ber or Whats­app num­ber, — and in the end, they will trick the vic­tim into trans­fer­ring money to the atta­cker. See https://en.wikipedia.org/wiki/Email_spoofing#Business_email
And unfor­tu­n­a­te­ly, I had user in the past who replied 🙁

Of cour­se, you can­not block the attacker’s email address, becau­se it chan­ges with every new attack.
But what if we block ever­ything with the dis­play name “surname_big_boss lastname_big_boss” and an email domain that is NOT one of ours? With post­fix and regu­lar expres­si­ons, that is qui­te easy:

~# grep ^header_checks /etc/postfix/main.cf
header_checks = pcre:/etc/postfix/header_checks_map
~#

Sil­ly naming, I know. It is not a map. But names are not important 😉

And now in /etc/postfix/header_checks_map

/^From: +surname_big_boss +lastname_big_boss +<.+@(?!mycompany\.(de|com)).*>$/i REJECT Go away phisher

Don’t for­get to rel­oad post­fix after you made the change.

Of cour­se, this works not so good if your boss is “Peter Smith”… Mine has a more uni­que name.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert