Skip to Content
Security & privacy

Elaborate spoofing campaign targeted huge company

Before you click on that website link, please double-check the address and make sure you’re going to the right place.

Why? Website and email spoofing – a technique that involves a fake web address or domain that closely resembles the real deal – is a cybersecurity threat that can affect both individuals and entire organizations.

In fact, these tactics are starting to become so sophisticated and elaborate, they’re fooling even the largest companies in the world! Read on and see how this multinational giant became the latest spoofing target.

The BlackRock Dear CEO Campaign

BlackRock, the world’s largest money-managing firm, has been recently targeted with an elaborate spoofing and social engineering campaign which was apparently orchestrated by a still unnamed environmental group.

First, the group sent out an emailed document that appeared to have come from the BlackRock CEO himself, Larry Fink. They even set up a spoofed website that looked like the real BlackRock website.

The fake “Dear CEO” letter purportedly reveals Fink’s newly found commitment in tackling climate change and environmental issues. To complete the ruse, the spoofers even prepared an official denial from BlackRock via a company “press release” hosted on the fake website.

The whole letter was convincingly well-done, written in the long-winded corporate style that’s common with official investor memos.

The fake Fink wrote. “With climatic threats positioned to destabilize markets at ever greater levels in 2019 and beyond, BlackRock is determined to take a leadership role in building a Paris-compliant economy.

‘We will begin this work by divesting from coal companies in our actively managed funds. Within 5 years, more than 90% of our 1000+ investment products will be converted to screen out non-Paris compliant companies such as coal, oil, and gas, which we see as declining and endangered.”

The follow-up “company denial” press release and the fake website that hosted it were also exquisitely done, suggesting that this was a sophisticated and well-planned campaign

It was all a lie

But what were the telltale signs that they were fake? Well, instead of “,” the spoofed emails used the address “” and the website likewise used the “” domain.

Notice the added “-esg” suffix? It’s a subtle difference but it was enough to fool even major news organizations like and the Financial Times.

The spoofers even directed all the links on the fake website back to the real BlackRock site, and to the unsuspecting eye, the whole front looked convincing.

Beware of spoofs and social engineers

Although this whole incident appears to be more of a statement than a blatantly malicious act, it highlights the vulnerability of even the biggest companies against email/website spoofing and social engineering schemes.

The worst of these attacks is known as the Business Email Compromise (BEC), where an attacker impersonates a high-level executive of a company to steal sensitive data or trick employees into sending payments via phishing and spoofing scams.

To spot spoofed emails, websites and social engineering schemes, first, you have to be vigilant with email communication.

Check email addresses carefully, especially those coming from your boss and associates that you may know. A missing or an extra character on the address could spell the difference between safety and compromise.

And as usual, be careful with email links and attachments. Scrutinize the link address before clicking and do not open attachments from email accounts that are not trusted. As they always say, an ounce of prevention is worth is worth a pound of cure.

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook