Three top US bank chiefs have been duped by an email prankster, highlighting the risk of inadvertent leaks of sensitive information through the most basic of breaches.
Lloyd Blankfein of Goldman Sachs, Michael Corbat of Citigroup and James Gorman of Morgan Stanley all entered into email exchanges this week with the hoaxer, a 39-year-old web designer from Manchester, England, who was posing as a colleague of the chief executives.
Last month the same hoaxer targeted Jes Staley, chief executive of Barclays, and Mark Carney, the governor of the Bank of England.
Mr Corbat of Citi swapped some pleasantries on Sunday evening with the hoaxer, who was masquerading as Mike O'Neill, the bank's chairman. Mr Blankfein signed off after a couple of one-liners he thought were aimed at Harvey Schwartz, the bank's president and co-chief operating officer. Mr Gorman of Morgan Stanley replied late on Tuesday to emails that appeared to have been sent by Alistair Darling, the former UK chancellor who joined the bank's board last January.
In the emails to Mr Gorman, the hoaxer sent what purports to be a draft of an op-ed on the lessons of risk, using the analogy of a salmon-fishing trip to South Wales which is disrupted by “three enormous dogs”.
“Whilst it was a frightening experience, my father and I did take away from it one important lesson - that being you cannot take chances with the security of both yourselves and your catch,” wrote the hoaxer.
“Excellent,” replied Mr Gorman. “Great personal story to make a critical point!”
Innocuous, if embarrassing
All three exchanges were innocuous, if embarrassing, but security experts warned that the episodes have exposed weak spots in the big banks’ defences, at a time when they are under near-constant bombardment from criminals, “hacktivists” and disaffected insiders.
Banks have spent billions of dollars on improving resiliency against cyber attacks, partly at the urging of regulators. Under a new regime affecting companies policed by New York’s Department of Financial Services, for example, executives have to submit an annual certification that the firm is doing all it can to protect consumers’ private data and “ensure the safety and soundness” of the state’s financial services industry.
Yet all three chief executives were easily foxed. In the Morgan Stanley case, Mr Gorman replied to emails from firstname.lastname@example.org.
The scam "is so simple it doesn't require technical hacking skills, but social engineering skills", said Justin Cappos, an associate professor of computer science at New York University's Tandon School of Engineering. He noted that some companies' systems attach warnings when emails come from external sources with whom the recipient has never corresponded. Such systems already operate at Goldman and Citi.
The most effective way for users to protect against it is to be a bit sceptical,” he said.
Morgan Stanley and Citi declined to comment.
Subject to disclosure
A Goldman Sachs spokesperson said: “We work in a highly regulated industry where all communications are subject to disclosure, and we live in an increasingly transparent world where private communications are regularly made public. Technology has an important role in protecting our ability to interact securely with clients, but judgment is the most critical quality to ensuring that we meet the high standards we set for ourselves.”
The hacker told the FT he “wanted to highlight how few cast-iron indicators everyone has [ . . .]that they are communicating with the person they think they are”.
“My intentions weren’t malicious, no secrets were really pushed for, but that could easily not have been the case,” he said. “In the end I expected it to become impossible to do very quickly after Staley. But things move slowly it seems; it has been easily repeatable, worryingly so.”
Copyright The Financial Times Limited 2017