Look Out For Business Email Compromises

2916 0

Phishing has emerged as one of the most dangerous types of security threats for businesses, with phishing attacks growing in the second quarter of this year, especially against software-as-a-service and webmail services. That’s according to a recent report by the Anti-Phishing Working Group (APWG), a nonprofit industry association that fights phishing, crimeware and e-mail spoofing.

The APWG defines phishing as “a criminal mechanism employing both social engineering and technical subterfuge” to steal data on personal identities or financial credentials. The APWG tracks the number of unique phishing Web sites as a primary measure of phishing volumes across the globe. A single phishing site may be advertised as thousands of customized URLs, but they often lead back to the same attack destination.

The total number of phishing sites detected by the APWG in the second quarter was 182,465 – up slightly from the 180,768 sites in 1Q-2019, and up notably from the 138,328 in 4Q-2018. A total of 341 brands were targeted by phishing campaigns in April, compared to 308 in May and 289 in June.

Social engineering schemes often use spoofed e-mails that claim to be from legitimate businesses. The emails are designed to lead recipients to counterfeit Web sites that trick people into giving away financial data such as usernames and passwords. Other types of phishing attack vectors can include social media posts, fake banner ads, browser extensions or plug-ins.

Companies should update staff trainings and deploy real-time threat intelligence systems to guard against the growing identity theft technique known as “business e-mail compromises,” or BECs. In a BEC attack, the scammer targets employees who have access to company finances, usually by sending them emails from fake or compromised email accounts, which is known as a spear-phishing attack.

SaaS and webmail sites remained the biggest phishing targets in the second quarter. Phishers harvest credentials to those types of sites and then use them to perpetrate BEC attacks and to penetrate corporate SaaS accounts.

BEC scammers are not picky. They are known to target both large and small companies, causing aggregate losses in the billions of dollars. The bad guys usually impersonate a company employee or other trusted party to fool an unwitting co-worker into sending money such as a wire transfer to a bank account controlled by the criminal. Sometimes these attacks may also involve malware. 

Before launching a spear-phishing attack, some sneaky attackers will spend weeks silently surfing around a compromised organization’s network to study the organization’s vendors, billing system, and even the CEO’s style of communication.

Gift Card Payments, the Phishing Weapon of Choice

There are many types of BEC lures, but documented gift cards were the preferred payment method in BEC attacks in the second quarter. Because gift cards are more anonymous, less reversible, and do not require the use of a mule intermediary, they have quickly emerged as the most popular cash-out option for scammers over the past year, according to the APWG authors. Nearly two-thirds of all BEC attacks requested that the targeted person purchase gift cards and send them to the attacker, while 20 percent of attacks requested payroll diversions, and 15 percent requested direct bank transfers.

The most common gift card requested by BEC scammers was for Google Play, Google’s online app store, at 41 percent. That was followed by gaming site Steam Wallet (12 percent), Amazon (9 percent), and Apple iTunes (8 percent). However, in a bit of good news, the amount of money an attacker can make from each gift card BEC attack is significantly less than through a wire transfer. During the second quarter, the average amount of gift cards requested by a BEC actor was just over $1,500, while the average amount requested for wire transfer BEC attacks was nearly $65,000.

Finally, it’s worth noting that BEC criminals strategically sent their emails when the victims were starting their workdays and were most available as targets. Half of all BEC attacks were sent between 8:00 a.m. and 12:00 noon in the victim’s time zone, and almost 90 percent of attacks were sent between 5:00 a.m. and 3:00 p.m. in the victim’s time zone. Fully 97 percent of BECs were sent between Monday and Friday, thus avoiding weekends when potential victims were not working. 

The solution to this phishing problem requires a new approach to threat intelligence that is automated, with high levels of accuracy. Cloud-based real-time threat intelligence feeds can instantly sift through all the dynamic data collected from multiple proprietary sources and proactive threat hunting. Another major benefit of a real-time threat feed involves instant blocking with near-zero false positives, which helps protect against blacklisting legitimate websites.

Fallible human beings will continue to be the weakest link in the security chain for most businesses. Company leaders must take responsibility to protect their workforces from falling prey to these increasingly clever attacks based on business email compromises. Not only are these BEC scams costly, but they can also cause long-term damage to a brand’s reputation and credibility. 

Atif Mushtaq
Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye where he was one of the main architects of its core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks including Rustock, Srizbi, Pushdo and Grum botnets.

Atif Mushtaq Web Site

In this article