It is a devastatingly effective form of spear phishing that the FBI refers to as “business email compromise,” or a BEC attack.
Also known as “whaling” and “CEO fraud,” BEC attacks carry no viral attachments, nor malicious web links. Instead, they rely entirely on social engineering, usually spoofing someone in authority in order to persuade a subordinate to take immediate action, such as transferring funds or forwarding sensitive data.
More than 7,000 U.S. companies have been hit by BEC attacks since 2013, losing more than $740 million—and those are only the companies that reported crimes to the FBI. Since January, at least 55 companies have announced that they had fallen victim to one particular variation that lures employees into forwarding employee W2 forms, useful for creating fake tax returns, according to messaging security vendor Cloudmark.
This week, email security firm Mimecast released results of a March poll of 436 IT experts at organizations in the United States, U.K., South Africa and Australia. Some 67 percent of respondents reported an increase in attacks designed to instigate fraudulent payments and 43 percent saw an increase in attacks specifically asking for confidential data like HR records or tax information.
ThirdCertainty recently sat down with Orlando Scott-Cowley, Mimecast’s cybersecurity strategist, to discuss why email remains a viable attack vector and where things stand in the arms race to maintain trust in email. Text edited for clarity and length.
3C: It’s amazing that email, after more than a decade, remains a major attack vector.
Scott-Cowley: It is, but also it isn’t. If you think about it, email is a very simple process. It doesn’t require any skill or any ability to hack someone’s network or their firewall or their wireless. Sending an email, even a whaling email where there’s no malware, takes almost no ability at all.
3C: Why is whaling (BEC attacks) rising so sharply?
Scott-Cowley: Cyber criminals have learned that not using malware is a great way of getting into organizations because there’s no path to look for. So there’s nothing detect. They use social engineering to basically defraud people out of millions of dollars.
3C: The heavy lifting is in the preparation?
Scott-Cowley: The attackers will spend months, or even longer, researching the target, using sorters like LinkedIn, Facebook, Twitter, or Google Plus. They build up a really good picture of that organization. What they want to know is who’s the CEO, who’s the CFO, who are the senior finance managers in the organization, who’s HR, who’s IT and they can almost build an organizational chart.
And then when they’re ready to strike, they will send an email that looks as though it has come from the CEO, generally, or the CFO. They’ll sometimes use a spoof domain that looks very similar to your corporate domain name.
They’ll often use a fake display name as well, and they’ll target someone who’s senior enough in the organization, usually in the finance team, who has single signoff authority on wire transfers. They’ll try to trick them into making a wire transfer.
3C: What we’re seeing is not a fly-by-night thing; it’s a major trend?
Scott-Cowley: Yeah. It’s a big threat to enterprises now. A lot of people who have been affected by this have not had to admit it, because it doesn’t meet the requirements for breach reporting notification. And many times you could say there has not been a breach because no data leaked. The company just paid and quietly went on about their business, which is terrifying.
3C: How did spear phishing progress to this point?
Scott-Cowley: Progression is a great way of describing it. Two or three years ago, the threat was from malicious links in emails. As vendors, we found a way to solve that problem. At Mimecast, we rewrite the URL, so when the user clicks the link we scan the page, and we’ll block access to a malicious website.
The attackers learned that. They then moved on to weaponized attachments and hiding malicious macros in attachments, mostly Word documents and Excel files. They used the macros to basically pull the malware onto the desktop.
So, as vendors, we introduced sandboxing technology that basically runs the macro in the gateway before it gets to the inbox and looks at it and says, ‘Well, this is a Word document, it has a macro, but why is that macro talking to a website in Russia or China or somewhere?’
The attackers worked out that we were getting ahead of them blocking all of those different types of attacks, and so they started to turn toward whaling and social engineering, using the power of their words in the email to be able to con people out of millions of dollars.
This story originally appeared on ThirdCertainty.com.