Email spoofs and phishing have greatly evolved in the last few years, with criminals upping their game to trick you. Instead of casting a wide net, criminals are utilizing Spear Phishing, a highly personalized attack. Attackers research their targets and craft a carefully designed message impersonating a seemingly trustworthy person or company. According to Beazley’s 2019 Breach Briefing, business email compromise increased 133% with financial institutions, healthcare and education being the top targets. While it only accounts for 6% of all spear phishing attacks, it has proven very lucrative for criminals.
Business email compromise (BEC) occurs when a cybercriminal uses a compromised email account or spoofs a legitimate email address to trick an employee into transferring money or sensitive data. The financial industry is the highest targeted due to their easy access to funds. An employee gets an email from a “senior executive” requesting a wire transfer, giving this attack its nickname of CEO fraud. Attackers use a sense of urgency in their emails to encourage quick action by the receiver without investigation. The FBI reports a loss of $12.5 billion since 2013 due to BEC.
Criminals must do their research to pull off a BEC attach successfully. They must learn names of employees, hierarchy of the company and who controls the funds. Then, using a spoofed or compromised attack, they send an email requesting a wire transfer with a fraudulent account number or sensitive data with financial information. These tend to not have any links or malicious attachments so they are hard to detect through email security. An email may look similar to this:
From: Jane Johnson <firstname.lastname@example.org>
To: Michael Blake <email@example.com>
Are you in the office? I need to process a bank transfer for me.
Give me a quick reply when you can get it done.
CEO, Corp Corporation
On first glance it looks legitimate and has a sense of urgency. On closer inspection, you see the sender is using a spoof account of @conp.com instead of @corp.com. If this money is sent, it’s almost impossible to get back. This criminal did his research.
Hard to Defend
Targeted attacks that are not mass produced, so they aren’t flagged as spam
Emails come from reputable email services (gmail.com is used for 1 in 3 attacks)
No malicious links or attachments
Domain and display name spoofing make convincing impersonations
Compromised accounts used to send requests are even harder to trace
Social engineering tactics such as brevity, urgency, personalization and pressure increase chances of success
Steps to Protect your business
Enable multi-factor authentication for remote access to systems and apps
Implement regular anti-fraud training for your employees
Establish a process for employees who travel and need to request funds. Do not document the process in the network.
Limit the employees who have the authority to submit or approve wire transfers
Verify any vendor requests to change account details with verbal confirmation
Utilize artificial intelligence technology that recognizes when an account has been compromised