Goldman's Blankfein, Citi's Corbat Duped by Email Prankster

By Liz Hoffman and Telis Demos Features Dow Jones Newswires

The chief executives of Goldman Sachs Group Inc. and Citigroup Inc. are the latest bank bosses to be hooked by an email prankster trolling top Wall Street brass, exposing a low-tech gap in banks' cybersecurity armor.

Continue Reading Below

Goldman's Lloyd Blankfein and Citigroup's Michael Corbat, as well as Citigroup consumer-banking chief Stephen Bird, responded over the weekend to emails sent by the anonymous prankster masquerading as top executives at the two banks.

The hoaxer, who last month snared Barclays PLC chief Jes Staley and Bank of England Gov. Mark Carney, on Sunday published screenshots of the exchanges on Twitter. Goldman and Citigroup confirmed the email exchanges.

None of the executives disclosed sensitive information in responding to the prankster, but the repeated episodes flag concerns about whether banks have done enough to guard against online threats. It comes as more trading is happening on mobile devices and investment bankers are taking electronic pitchbooks on the road.

The emails mimic a well-known scam known as "phishing." In this, scammers try to get victims to click on malicious links or try to capture sensitive information, such as passwords, via seemingly innocuous emails. These emails can take the form of invoices from customers, shared Google documents, or phony password reset requests.

Last year, the FBI said that it had observed a 270% increase in business-email scams over a 15-month period. In these, criminals had impersonated executives to request a fraudulent money transfer or other fraudulent transaction. Between October 2013 and February 2016, law-enforcement officials received reports from 17,642 victims of this kind of scheme that amounted to more than $2.3 billion in losses.

Continue Reading Below

The anonymous bank trickster so far has appeared to seek to embarrass executives rather than extract secrets or plant viruses.

The fear, though, is that if bankers can fall for cheeky pranksters, they might also fall victim to the kinds of phishing attacks that hackers used to breach the Democratic National Committee's email, enabled by a false email asking to reset a password.

Mr. Blankfein received an email that appeared to be from a top lieutenant, Harvey Schwartz. The prankster appeared to be looking for confirmation that a pair of recent tweets from Mr. Blankfein were a swipe at President Donald Trump's infrastructure agenda.

"Tweet won some online award for humorous tweet -- Trump will be so pissed ;)," it read, according to the screenshots published on Twitter.

Mr. Blankfein largely declined to take the bait. He said the tweet "seemed like a good way to bookend my trip," though he did say he would "settle for getting away with it."

Messrs. Corbat and Bird received emails appearing to come from Citigroup Chairman Michael O'Neill. Mr. Corbat only sent a brief response, while Mr. Bird traded a series of emails with the prankster. The emails were personal in nature and didn't pertain to business dealings of the banks or their financial workings.

"CEOs are trying to be hands on these days, tweeting and emailing and responding to many things themselves," said Sandeep Kumar, managing director for capital markets at Synechron, an information-technology consulting firm. "These firms have many layers of security and filtering....But at times, emails will sneak in and somebody will be tempted to click on a wrong link or respond to someone they shouldn't."

Many bankers, including those at Citigroup, access their email through third-party security applications such as those developed by Good Technology, now part of BlackBerry Ltd. Those apps screen links when they are clicked and block many of them. Mr. Corbat, in his response to the prankster, noted that he couldn't open the link.

In fact, bankers often complain that their email is too secure, making it cumbersome to interact with clients. At many firms, emails dealing with client or financial information go through additional layers of security.

The email from Mr. O'Neill originating from a non-Citigroup email address wouldn't be unusual, said a person familiar with the bank. Many board members use personal email accounts for board duties, as they aren't bank employees and aren't acting on behalf of other companies they may work for.

Goldman's email system, which the bank's engineers built themselves and spun out, alerts users when they are sending an email to someone outside the firm. Like many cybersecurity tools, though, users can get inured to such warnings, clicking past them without thinking.

Peter Rudegeair contributed to this article.

Write to Liz Hoffman at liz.hoffman@wsj.com and Telis Demos at telis.demos@wsj.com

(END) Dow Jones Newswires

June 12, 2017 16:08 ET (20:08 GMT)