Everyone is on the alert and it's for good reason. Just a week ago, the Feds indicted 80 people in a massive fraud conspiracy. U.S. Attorney Nick Hanna states, "We believe this is one of the largest cases of its kind in U.S. history." According to the FBI's annual Internet Crime Report for 2018, business email compromise (BEC) scams costs victims over 1.2 billion. Out of 351,000 reported scams with total losses exceeding $2.7 billion, it's easy to see that the majority of these scams are related to business email compromise. In other words, phishing emails and social engineering methods are hurting businesses across the board. In 2017, the BEC reported loss was at 675 million, meaning that in just one year, the losses have nearly doubled.
How Are They Doing It?
You may ask, how are these attackers so successful in their attempts? There's a lot of ways it can be done and I will provide you with some examples of popular methods, but if you are looking to grasp an in-depth look at everything you need to know about phishing, download our FREE guide. We will teach you all the essentials and even show you some of the resources that these cybercriminals are using to fool you.
One trend that the FBI noticed for 2018 was an increase in complaints about gift-card related BEC scams. These stories often involve an email that has been spoofed to appear that it is coming from the C-suite and when the employee receives it, he or she will be presented with a request that says something like, "I need you to pick up 25 Amazon gift cards for $50 increments totaling $1,250.00. Buy physical gift cards and scratch the card code on the back. Attach pictures of each card and email back to me with the receipts. I'm sending these as gifts so I'd like your help. Can you take care of this right away?" If your supervisor at the office provided such a request, would you question it, or just obey, following through with the demand?
Other phishing attempts could be crafted in a variety of ways including spoofed lawyer email accounts or emails that appear to be from trusted vendors. In fact, businesses are experiencing a spike in attacks that are fraudulent emails appearing to be from third party vendors or business partners. Protect information such as your customer lists and vendors you work with. There's a lot of information that you may not realize that can be pieced together to help a malicious actor carry out a sophisticated attack. Another industry that is experiencing an increase in BEC scams is the real estate sector. Attackers will spoof emails from lenders and/or title companies to successfully trick the buyer or seller into wiring money into a fraudulent account.
There are countless methods and scenarios used to commit fraud. Fraudsters will plan out an attack towards the end of the day before a holiday weekend or right before the lunch break when there are less employees present in the office knowing that someone new may be covering job duties out of their norm and may not know typical protocol or they will simply choose times that an employee's guard is down. Humans can be the weakest link, therefore emails are a perfect attack method.
FBI's Annual Internet Crime Report of 2018 Reports:
- The US, India & UK are the top regions targeted.
- Top 3 BEC Subject Lines Are:
IMPORTANT, PAYMENT & YOUR RECEIPT FROM APPLE
- Top BEC Keywords Used:
"transaction request", "important" & "urgent"
As tech advances, attackers will continue to improve. Artificial Intelligence and Machine Learning may be used to make attacks even more convincing. As you will learn more about in our "Essential Phishing Guide", attackers can create malicious domains by creating email addresses and websites that appear to be legitimate. The tools are at their fingertips and email security filters are not enough to protect your business. They often know the tips and tricks to get around such filters. According to the US Treasury Department, BEC scams cost US companies $300 million per month.
What Can You Do?
You can provide real-world examples to your employees so they can be on the look out for these scams. Teach your organization to verify before they trust emails that seem odd or ask them to do something out of the norm. Hover over email links to confirm that it's the sender's legitimate email address. Or, instead of replying directly to the email chain, start a new email using the correct email that you have stored in your contact information. Use multi-factor authentication whenever possible. This is especially important when conducting sensitive business such as wire transfers. There are countless examples of when using two-factor authentication could have prevented a successful attack. Business email compromise is one of the most common and successful attack methods used by hackers.