All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works.
Today, we’re exploring one of the most audacious phishing tactics: Business email compromise (BEC) also known as CEO scams.
We've put the 15 best practices for spotting and handling BEC and other phishing emails into one webcast presentation. Join us Thursday, October 26, 11:00 am - 12:00 pm EDT to learn how you can turn your users into powerful security assets.
Overview
Unlike most other phishing tactics, BEC scams are all about interacting with victims, rather than simply duping them into making a one-time mistake. Typically a number of emails are exchanged, with the ultimate goal of convincing the target to authorize substantial payments to the attacker’s bank account.
BEC scams can usually be broken down into four phases:
1) Identify a Target: The attacker targets organizations using business information available freely online
2) Grooming: Attacker uses a variety of social engineering tactics to pressure and manipulate their chosen target
3) Exchange information: The victim becomes convinced they are conducting a legitimate business transaction
4) Payment: Funds are wired directly into a bank account controlled by the attacker
The Breakdown
Primary Target(s): Finance/Payments staff
Lure Volume: Significant increase in recent years
Geography: Global
Threat Actors: One-man bands, state sponsored groups, and everything in between
Motivation: Profit
Lure Analysis
Does all this seem a bit far-fetched? Well, I’m afraid it isn’t.
With a little technical know-how, some patience, and a basic understanding of human nature, attackers are routinely able to hoodwink victims into wiring money directly into their bank accounts.
And we’re not talking about small sums, either. It’s estimated that BEC scams have cost businesses around $5.3 billion globally since 2013.
So let’s take a look at some BEC lures:
First, notice how these lures go out of their way to produce a sense of urgency. Not only does this payment need to be made, it needs to be made now.
But of course, urgency is no good unless the sender is trusted. That’s where email spoofing comes in.
A wide variety of techniques are used to “spoof” the email addresses of trusted, senior members of target organizations such as CEOs and CFOs. Imagine getting an urgent email from your boss’s boss’s boss… Pretty compelling, right?
Takeaways
One of the scariest things about this type of phishing attack is the total lack of need for sophisticated technologies, or even much in the way of technical competence on the part of the attacker. Identifying payments staff is just a matter of surfing LinkedIn, and once a target is acquired the entire scam could be completed within a few hours.
To find out how you can fight back against BEC, and other phishing scams, check out a free #CyberAware resources page.