Phishing For Compromise
Posted February 17, 2016 by Ben Hicok
The FBI has issued warnings to all businesses about the spread of BEC scams. One of the fastest growing hazards facing businesses today is business email compromise, or BEC scams. According to the FBI these scams have increased more than 270% since the beginning of last year. In their latest report, more than 7,000 businesses have lost more than $1.2 billion in the last 2 years. At Complete Network Support we can help mitigate your IT risk. We are at the forefront of IT risk management; monitoring, assessing and evaluating threats to your network regardless of the source.
While these scams may appear less impressive than sophisticated malware targeting banks and other large institutions; a BEC attack is in reality far more malicious. They are more versatile and can avoid the basic security steps taken by businesses and individuals. Instead of simply targeting your machines, a BEC scam targets your employees. According to the FBI, “The scam has been reported in all 50 states and in 79 countries. Fraudulent transfers have been reported going to 72 countries; however, the majority of the transfers are going to Asian banks located within China and Hong Kong.”
BEC scams are perpetrated in multiple stages. In the first stage, a traditional phishing scam is initiated. Once the criminal has access to an employee’s email, they monitor the account for days, weeks sometimes even months. During this time the cyber sleuth determines critical financial processes and practices used by your business. These criminals then ascertain whether or not wire transfers are used and which individuals make the requests for said wire transfers. Emails are probed for a multitude of keywords: invoice, deposit, president, CEO, CFO, accounting and funds are all examples of keywords used to verify transfers.
Once the reconnaissance stage is completed the second phase begins. This portion can present itself in two different ways. The first is known as a CEO Phishing Scam. The perpetrator(s) create a domain name that is nearly identical to the company’s and send an email that appears to be from the CEO or other high ranking executive from this address. This email and email address will appear legitimate. However, upon closer examination the email address of the sender will in fact be fraudulent. The email requests a specific wire transfer sparing no details. The targeted employee then, without hesitancy, does as instructed. At this point, company funds have been seized never to be seen again.
In the second version of this scam, the email of someone within the targeted company responsible for billing and invoicing is taken over and used to send out seemingly legitimate invoices instructing that payment be made by wire to a newly designated bank account. Again, only under scrutiny would anything be noticeably questionable within the fraudulent invoice. One of the most nefarious aspects of these scams is the unlikelihood of being caught in spam traps as these are targeted attacks and not mass emails. As these scams continue to grow and evolve it is important to be vigilant. The FBI has urged businesses to adopt the following processes:
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com
- Register all company domains that are slightly different than the actual company domain.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign- off by company personnel.
- Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
- Know your customers payment habits.
- Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
At Complete Network Support it is our job to mitigate and eliminate threats to your business. We are your IT bureau ready for all phases of cybercriminal activity. Don’t go it alone, contact Complete Network Support.