Diving Deeper: Phishing & BEC Scams

We continue with our ‘Diving Deeper’ series by discussing attack vectors that take advantage of human gullibility through what is arguably the most widely used business application on the Internet – email. We start by going through a brief history and introduction of phishing, spear phishing, and BEC scams; talk about how they are impacting businesses; and offer tips on how companies can defend against them.

History of phishing and BEC scams

Phishing is one of the oldest attack vectors in the cyber criminal’s playbook, with the earliest known phishing attacks dating back to the 80’s. Those attacks were carried out over AOL and only targeted AOL members. But today, phishing attacks are aimed at just about anyone who has an email account.

Phishing doesn’t appear to be going away anytime soon. The number of phish detected in Q1 of 2019 was up 46% over Q4 of 2017. In addition, APWG researchers discovered a remarkable increase in the number of phishing sites hosted on HTTPS. More specifically, less than 5% of phishing sites were hosted on HTTPS infrastructure at the end of 2016, but by the second quarter of 2018, more than 33% of phishing attacks were already hosted on HTTPS sites. Phishers are taking advantage of the general perception regarding the security of encrypted connections and trustworthiness of HTTPS sites.

While most phishing emails are designed to extract confidential information from victims, they’re also used to drop malware. Sometimes, the malware itself (as in the case of keyloggers and trojans) steal data from the victims’ computers. Phishing is also cast as a wide net, usually sent in large volumes and addressed to a lengthy list of email accounts. As a result, they tend to be impersonal (e.g. using a salutation like ‘Valued Customer’ instead of your name) and sometimes lacking in context. Thus, they have relatively low click-through rates.

I say ‘relatively’ because phishing’s success rate is still high enough for it to continue to exist; just not as effective as the more specialized form of spear phishing.

Spear phishing

In a spear phishing campaign, the email content (and sometimes even its method of delivery) is painstakingly crafted to resemble an official email coming from a personally trusted source.

For a spear phishing email to appear credible, attackers devote considerable time studying an organization’s hierarchical structure, who its executives and managers are, how their official emails look like, and who the potential targets might be.

To make the content appear authentic, attackers also figure out how an executive composes his/her emails. They research that person’s choice of words, favorite expressions, and other pertinent details. All this information can now be found online, especially if that executive is active on social media. Attackers can simply investigate that executive’s comments, blog posts, testimonials, or notable quotes (e.g. from press releases or news articles).

Just like phishing emails, spear phishing typically conveys a sense of urgency. But because the latter includes additional elements that resonate more with the recipient (e.g. it appears to come from the recipient’s CEO), there’s a greater chance the victim will fall for it.

The relatively high success rates of spear phishing schemes have opened the doors to a growing threat in the business world. This threat is aptly known as business email compromise.

Business email compromise (BEC)

BEC scams are spear phishing attacks that dupe companies into directing corporate funds or personal data to the attacker’s account.

These require no advanced programming skills or sophisticated tools. With enough research and some basic graphics and formatting skills, any aspiring BEC scammer can already mount a simple but effective attack. They cast a wide net and see who responds, if they have done their homework they will know how an organization responds to these types of requests and will refine their technique to achieve their desired outcome.

No wonder we’re seeing a rapid growth in this particular cybercrime method. Based on data accumulated by FBI’s IC3 from January 2015 to December 2016, there was a 2,370% increase in identified exposed losses due to BEC scams. That same report also revealed a $5.3 billion loss between October 2013 and December 2016.

This number has already more than doubled according to the latest FBI IC3 report. It’s now at $12.5 billion, which far exceeds the $9 billion estimate predicted by Trend Micro late last year.

Despite its rapid ascent, BEC remains one of the most underreported cybersecurity issues. Companies aren’t reporting BEC scam incidents for a couple of reasons:

  1. Most BEC scams “only” involve loss of funds because of illegitimate fund transfers. So, unless the scam involves loss of personal data, companies aren’t obligated to report them.
  2. It’s bad publicity – They’re wary customers might stop entrusting data with them due to the perception of having poor security controls. Plus, they’ve already lost money from the scam. They don’t want to lose more from customer churn.

However, we could start hearing more BEC incidents now that GDPR has arrived. In fact, , we’ve already been seeing an uptick in self-reporting for compromises and breaches, so perhaps we’ll see the same thing happen to BEC.

Ironically, GDPR could provide some boost to BEC scammers. By GDPR rules, companies are mandated to report data breaches. So, a hacker could spoof an email requesting customer information, obtain the information, then hold that data hostage and threaten to report the company for a data breach to GDPR officials unless they pay them out.

Now that GDPR has set large fines for data breaches, they’ve officially put a premium price on data. We haven’t seen this angle yet (i.e. a BEC attack being used to hold a company’s data hostage against GDPR fines), but that doesn’t mean we won’t.

Global business impact

In the 2017 Cost of Cyber Crime Study, these types of attacks were lumped together with similar attacks under ‘Phishing & Social Engineering” and were found to cost companies an average of almost $1.3 million USD. That’s clearly enough to put a dent on your cash flow. The same report showed these types of attacks typically took 20 days to resolve. Naturally, the longer companies it took to resolve these attacks, the greater it cost them.

Another important statistic comes from SANS Institute, who reported that 95% of all attacks on enterprise networks began with a spear phishing attack. It could be that the phishing campaign was used to obtain administrator credentials or perhaps install malware that in turn exploited a vulnerability in the system to further expose it to a larger attack.

How companies can be vigilant in detecting these scams

Phishing, spear phishing, and BEC attacks have one thing in common – social engineering. Meaning, they’re aimed at what is often the weakest link in an organization’s security infrastructure – its people.

Knowing this, it’s safe to say the best defense against these attacks wouldn’t be a technological one. Rather, it should be something that strengthens the weakest link. That’s why, to be effective in countering this threat, you must prioritize employee education and training.

We recommend the following:

  1. How to identify red flags. A tone indicating urgency to retrieve confidential information or funds could be one.
  2. How to identify known phishing emails. Many of these scams use the same subject header. You can simply grab the subject and google it (in quotes). If it is part of a known scam, it should appear in the search results.
  3. What to check to verify the legitimacy of an email. One easy way is to extract the email header and check the FROM field to see if it’s really coming from a legit source. You need to be meticulous in inspecting, as some email addresses might just be faintly misspelled.
  4. What to do when in doubt. Always err on the side of caution. It should only take a moment to call the supposed sender to confirm whether he/she in fact sent the email/request.
  5. Implement internal processes that will render this attack vector ineffective. There are multiple ways to prevent the dreaded transfer to a criminals account, implement policies that require validation via call back or another internal mechanism outside of email communications.

A robust cybersecurity program should address weaknesses in all areas of your IT infrastructure. As such, employee education and training should go hand in hand with acquisition/deployment of security tools. As evidenced by social engineering-type attacks like phishing, spear phishing, and BEC, even the most advanced technological tools can be rendered useless if your employees are easily deceived.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals