Everyone in information security should know that business email compromise (BEC) attacks are on the rise. However, many security professionals may not realize how pervasive these threats have become; the rate of increase in BEC is remarkable.
The FBI released an alert on April 4 that included some sobering statistics about fraudulent wire transfer requests: Organizations lost more than $2.3 billion to these types of BEC attacks between October 2013 and February 2016. Furthermore, the FBI has seen a 270 percent rise in the number of identified victims and the exposed loss since January 2015.
Tactics and techniques
BEC attacks generally impersonate executives—often CEOs, CFOs, or other trusted figures, such as attorneys, controllers, or vendors. Perpetrators use a combination of whaling, spear phishing, vishing, and other social engineering techniques to execute these attacks, targeting employees who have access to banking, financial, or sensitive employee data.
Wire transfer fraud has been the most commonly reported exploit, though a rash of W-2 compromises has recently stolen the spotlight. In late March, CSO Online published a report that identified 41 successful W-2 phishing attacks in 2016, and more have been identified since then.
In the case of wire fraud, attackers use several techniques. Sometimes it is a simple email containing a link that downloads a keylogger. In other cases, criminals use social media channels, vishing calls, and other means to find out when a high-level employee will be out of the office. They then impersonate the executive or manager via email spoofing, tricking employees into exposing data, wiring money, or changing bank routing information.
Despite all the news coverage, these attacks continue to be successful. One simple reason is because these attacks take advantage of fundamental businesses processes and power structures. We are not conditioned to say “no” to authority figures, particularly in a work setting.
When employees think the CFO or CEO is making a request, they are even less likely to question it. As a result, many organizations comply with these emailed requests, sending W-2 data or wiring money to an attacker’s account. Once the money is wired, it is quickly moved and, in many cases, never recovered.
Some BEC attacks are very sophisticated; they may not be email requests that just appear out of the blue. An attacker may try to establish a relationship with an employee in advance of requesting a wire transfer or a change to bank routing information.
In this type of scenario, one or more contact attempts (via email or phone) are made over the course of hours, days, or weeks. Sometimes the attacker will ask for seemingly innocent pieces of information along the way, but the main goal is to become a “trusted” contact of the targeted employee.
Asking for a wire transfer or a change to banking information later on doesn’t ring any warning bells because the employee actually believes the request is coming from a valid source.
Competitors copy cyber crime maneuvers
By now, most organizations have assumed a strong defensive posture when it comes to cybersecurity, with layers of people, processes, and technology working together to protect sensitive data. But even with these protections in place, it’s important to take a wide view and remain alert. It’s not just Russian or Chinese cyber criminals we need to watch for — malicious actors can be tied to seemingly reputable sources, including insiders and competitors.
At Wombat, we recently encountered a series of attempts to gain proprietary information from our employees. These persistent, coordinated communications mirrored many we see in the wild. Given how things were handled, the timing of the campaigns, and the types of questions that were asked, we’re quite certain a competitor or a future competitor was behind these activities.
Three different entities attempted to reach our employees by posing as market research companies, offering a consulting fee in exchange for interview time. One entity used a BEC-style email, one made phone calls (trying first to establish a rapport), and the third hit all of our customer-facing employees through social media channels.
Defending against social engineering schemes
In our current climate, it’s critical to “train beyond the phish.” Cyber criminals, hacktivists, competitors, and state-sponsored spies can easily locate an organization’s employees through many means. An organization’s website, social media pages, press releases, and industry events are just the start.
Each employee also has personal access points that can be infiltrated. Platforms like LinkedIn are treasure troves for skilled social engineers, providing ready access to qualifying details. With all of this data and channels at their disposal, attackers can mount increasingly devious and nuanced campaigns to gain the information or access they seek.
Regular training helps to keep cybersecurity top-of-mind for employees, which in turn helps them remain vigilant against BEC attacks and other social engineering schemes. Educated employees are far more likely to immediately question an unsolicited request for sensitive data. They will also be more likely to recognize when phone calls, emails, and social media messages are outside of the scope of “normal.”
When you make security awareness and training a continuous presence within your business, you build a knowledgeable staff that fortifies your overall security posture. In-depth education and response testing create a knowledge barrier between the attackers and employees.
By building a stronger barrier, you help to ensure that your end users are equipped to analyze communications, pinpoint suspicious activities, and make intelligent decisions. This directly protects your organization’s intellectual property, sensitivedata, and financial assets.
Think about the moments when your employees receive an email, phone call, or social media request. As they hover over a malicious link or engage in an intentionally misleading conversation, ask yourself this: How strong is your barrier?
Joe Ferrara is President and CEO of Wombat Security Technologies, which provides SaaS-based security awareness and training products that help organizations teach their employees secure behavior. The company works with Fortune 1000 and Global 2000 customer in multiple industry segments to strengthen their cyber security defenses.