Spoof Emails That Cost Businesses Billions
There are now so many different flavors of cyber-crime, it’s becoming increasingly difficult for companies to prioritize their defense measures against data breaches, virus attacks and corporate sabotage.
We know that cyber-crime is on the increase. And that’s an understatement.
We see it every day - from influencing major elections, to crippling businesses overnight, the way cyber-crime infects our every-day lives should not be underestimated.
Billionaire investor Warren Buffett claims that cyber threats are the biggest threat to mankind - even bigger than threats from nuclear weapons!
Believe it, or not. The following is a real-life scenario that could happen to any organization...
It was just another day at the office…
The email looked like any other instruction from the CEO to the company's finance manager.
"Great news! the acquisition deal has been agreed. Please wire $6m to this account so we can finalise ASAP. This needs to be done before the close of play today. Thanks."
Thinking nothing of it, the employee duly carried out the chief exec's instruction, sent the funds, and ticked it off his task list before leaving the office for the day.
Next morning, alarm bells began to ring when the company being acquired called to ask why it had not received the funds.
The company's bank began investigating and quickly confirmed that $6m was most definitely sent, but where to?
It's highly likely that no-one will never know the answer to that question.
Fortunately, some of the money was later clawed back by the bank. But the hackers got away with most of the $6m when they cashed out, either by using a cleverly conceived money-laundering network, or when they moved on to their next victim.
Meanwhile, the CFO was left feeling devastated, as the company scratched its head, trying to figure out how this could have happened. After all, the email had come seemingly from the boss's email address directly to the head of finance - and his account had not been hacked.
It was left to a cyber-security expert to break the bad news to the firm: emails are not to be trusted.
Yes, this is a real-life example of a cyber-attack commonly known as Business Email Compromise, or CEO Fraud.
Such incidents are often unsophisticated low-tech attacks, relying more on social engineering and pure trickery than conventional hacking.
The cyber-criminals simply spoof the email address of a senior company executive, then send an authentic looking instruction to an unsuspecting employee.
To the employee, the email looks just as though it has come from the boss. Fact is - it's been sent by an imposter.
There is usually a sense of urgency to the order, and the employee simply does as they are told - maybe sending vast amounts of money to criminals by mistake.
Typically an attack targets specific employee roles within an organization by sending a spoof email (or series of spoof emails) which fraudulently represent a senior colleague (CEO or similar) or a trusted customer. The email will issue instructions such as approving payments or releasing client data. The emails often use social engineering to trick the victim into making money transfers to the bank accounts of the fraudster.
The worldwide financial impact is large, with the US's FBI in 2017 reporting losses, "...now totaling over $3 billion.
These scams are on the rise and according to the FBI in the US, they have resulted in worldwide losses of at least $26bn (£21bn) since 2016.
Earlier this month, 281 suspected hackers were arrested in 10 different countries as part of a massive take-down operation of global cyber-crime networks based on the scams.
Ryan Kalember, executive vice-president of cyber-security strategy at Proofpoint, said:
Business Email Compromise (BEC) is the most expensive problem in all of cyber-security. There is not a single other form of cyber-crime that has the same degree of scope in terms of money lost.
Proofpoint was appointed to deal with the CEO Fraud incident described above.
Mr Kalember and his team have seen the tactics evolve during the past year and have some interesting observations and warnings for potential victims.
The traditional targets for BEC attack are the "C-suite" figures of major companies, such as chief executive officers or chief finance officers.
But recently, criminals have been going for lower-hanging fruit, according to Kalember:
The 'very attacked people' we now see are actually rarely VIPs. Victims tend to have readily searchable emails or easily guessable shared addresses. ..VIPs, as a rule, tend to be less exposed as organizations are generally doing a fairly good job of protecting VIP email addresses now,
The trend has also been noticed by cyber-security company Cofense.
In some cases, employees' emails are spoofed and the attacker asks the human-resources departments to send a victim's wages to a new bank account.
Dave Mount, from Cofense said:
A smaller but much wider reward system will be a deliberate attempt to fly below the radar to target financial processes that are likely to have weaker controls, yet still produce attractive returns,
Another method being seen more regularly is scam emails sent on Monday morning.
According to Proofpoint, more than 30% of BEC emails are delivered on Mondays as hackers try to capitalize on weekend backlogs.
They hope "social jet-lag" will mean employees are more easily fooled by fake emails and other social-engineering tricks.
"Attackers know how people and offices work. They depend on people making mistakes and have a lot of experience with what works. This is not a technical vulnerability, it's about human error," said Mr Kalember.
Fake email threads are part of another technique that has evolved.
Attackers start the subject lines of their emails with "Re:" or "Fwd:" to make it look like their message is part of a previous conversation.
In some cases, they even include a bogus email history to establish apparent legitimacy.
According to researchers, fraud attempts that use this technique have increased by more than 50% year-over-year.
Mr Kalember says all these trends follow a predictable pattern based on our own behavior.
"One of the reasons why this is a particularly difficult problem to stamp out is that it relies on the systemic risk of all of us trusting email as a means of communication," he said.
Unfortunately for businesses and unwitting employees, BEC is unlikely to go away.
Email spoofing is technically very simple, and free-to-use online services offer a low barrier to entry.
But there are lots of things companies and employees can do - including being vigilant and aware of the attacks.
Companies could insist on so-called two-factor verification before a payment is sent.
All of this, of course, relies on people taking a step back from what is often strived for in the workplace - speed and efficiency.
How can I Prevent CEO Fraud?
Infosec Institute, a leading security awareness training organization, says …
Despite your best efforts, phishers might still get in via convincing email requests. Because of this, every transaction, whether financial or informational, needs to possess checks. You can automate some of them so obvious errors are immediately identified, but at the end of the day, you need a human on the job that has to confirm a number, speak to a second person and check authorizations before any significant transactions can be completed.
You don’t want to insult the vanity of the members of your C-suite, but you also can’t let the privileges of the corporate hierarchy put your company at risk. The most successful element of a BEC fraud scam is one that involves a sense of urgency on the task being requested, implying that something vital hangs in the balance. And it’s these rushed, spur-of-the-moment decisions that often cause the most damage.
It cannot be a matter of a mouse click when dealing with large sums. Everyone in the decision chain needs to have to look up a real number, associated with a real account, enter that number manually and then verbally confirm that transaction with another person — no exceptions.
NOTE: This article is provided for information purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner when preparing for compliance with data protection and privacy legislation.