Everything You Need to Know About Wire Transfer Phishing

This question should be standard issue at any cybersecurity pub quiz: What increased by 108% one day in September 2019? It’s not the number of data breaches experienced around the world. It’s not even the proportion of businesses now targeted by cyberattacks. No: it refers to the total amount of money stolen from businesses thanks to Business Email Compromise scams, according to the FBI. The Bureau’s flagship figure of $12.5bn was revised upwards by more than 100% on September 10th, hitting a staggering $26bn. The two figures don’t cover identical timespans. But if anything, comparing the periods of time used to arrive at the totals generates even more alarm. The original $12.5bn figure was derived from business losses over a five-year period between 2013 and 2018. The new figure of $26bn is the product of just three years of criminal activity, covering June 2016 to July 2019. So how are attackers able to extract such large sums of money from enterprises? And what can be done to stop them? Perhaps part of the reason Business Email Compromise (BEC) has been so successful is that everyone has a slightly different definition of what it means, and no clear solution to stop it…

What is Business Email Compromise? Business Email Compromise (BEC) is when a trusted relationship – between colleagues or counterparties – is hijacked through email. BEC can be accomplished in two ways: email impersonation (i.e. spear phishing attacks) email account hacking Conveniently for attackers, account takeover is often achieved after a successful spear phishing attack. BEC is a catch-all term often conflated with other kinds of email attacks, like phishing, spear phishing and account takeover. Account takeover (ATO) attacks, for instance, are often described as identical to Business Email Compromise. However, ATO attacks see the attacker literally gain access to an individual’s genuine account, potentially by using brute force “credential stuffing” hacking techniques. BEC attacks, meanwhile, are geared around impersonation. An attacker “compromises” an email account by convincingly impersonating a trusted counterparty of the target. What is being “compromised” in a BEC attack is the trust between the target and the impersonated counterparty. Because BEC scams rely on people making mistakes and being tricked, attacks can be relatively simple or extremely complex. The initial step involves fraudsters identifying a company they intend to target. Once this is done, before executing the attack itself, the attackers must first impersonate an employee or one of the company’s external counterparties. (Attackers might choose to impersonate a display name or a domain in order to fool their target. To understand more about the different types of email spoofing and impersonation exploited by cybercriminals, head to the this Tessian blog.) To execute a BEC attack, attackers will send spear phishing emails to targets within the company. Building trust over time comes down to communicating authentically. Although you might have read about spear phishing campaigns convincing people to click on malicious links or attachments, this is no longer a necessity. “Zero-payload” attacks, a growing phenomenon, build trust with targets over time using entirely innocuous communications. The request, when it comes, may be made in writing without the suspicious links or attachments that are easier for traditional security programs to flag. This example shows an attacker impersonating a CEO, Thomas Edison, asking an employee to change invoicing details. There is no link or attachment required, only text:

It’s clear that subtle and hard-to-detect techniques can have a potentially damaging effect on enterprises. So what are the main methods by which attackers compromise this trust in BEC attacks? What are common BEC techniques? Supplier / vendor fraud The dangers of external impersonation are becoming better understood, but there is still a learning curve for security leaders within enterprises. Every business has a finite number of employees, which makes it easier for security products to keep on top of potentially suspicious activity on “employee” email accounts. But all businesses have networks of suppliers and vendors, which dramatically increases the number of people attackers might choose to impersonate. (Download Tessian’s guide to email impersonation to see this effect in action.) CEO fraud CEO fraud is a type of spear phishing attack where attackers impersonate a CEO, CFO or another high-level executive. Attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. As with other BEC scams, the usual aim is to extract money from the targeted business by coercing an employee into making illicit wire transfers. Whaling Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Because they tend to be very busy, and because of their access to key systems, senior executives can be especially profitable targets for attackers. Account takeover As covered above, ATO describes the unauthorized takeover of someone’s actual email account, using brute force hacking to harvest credentials before sending a fraudulent email from the target’s own account. ATO attacks are understandably extremely hard for traditional technologies to identify as the “genuine” email account is in use. Institutional impersonation Some of the most impersonated parties around the world are not necessarily businesses at all but institutions. Emails from entities like the IRS (HMRC in the UK), or a communication from a court, have the potential to worry people and cause them to react instinctively, rather than rationally. (It’s worth pointing out that the big tech companies, such as Microsoft and Netflix, are invariably among the most impersonated brands in the world, despite both companies employing DMARC to defend against spoofing.) The consequences of BEC As we’ve seen, the main motivation behind BEC attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences cybersecurity leaders should be wary of. Data breach / credential harvesting Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. Financial losses Of course, a principal aim of BEC attacks is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. When second-order financial penalties like fines are taken into account too, BEC can prove extremely damaging to organizations’ balance sheets. Fines Nowadays it’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. Currently, for instance, Yahoo is tackling an enormous class action suit with estimated damages of more than $100m. And legislation designed to make fines more than a slap on the wrist is now ramping up all over the world. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183m after a 2018 data breach. Reputational damage It’s harder to quantify on a balance sheet, but after a BEC-triggered data breach, hard-won brand reputations could be put at serious risk. An email security failure can cause share prices to fall and affect organizations’ relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult. There are a wide range of reasons for businesses to protect themselves against Business Email Compromise, which raises the question: why are most business unprepared to defend against this threat?

Why rule-based technology does not stop BEC Simply put, security products have not moved as quickly as cyberattackers in predicting and preventing new and emerging threats. Secure Email Gateways do a great job of preventing run-of-the-mill spam and “bulk” phishing attacks, but they do this with static lists of rules that can only stop attacks the software has already seen. They simply aren’t cut out to defend against increasingly sophisticated attackers deploying social engineering techniques and exploiting human frailties in order to trigger dangerous actions. (Read our CTO Ed Bishop’s thoughts on Secure Email Gateways and other legacy technologies here.) BEC attacks are highly targeted towards particular individuals within organizations. Even the most vigilant employees can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees. That’s why organizations must invest in technology that explicitly protects theirpeople. And that’s where Tessian’s software, trained on over 1 billion emails, comes in. Our stateful machine learning engine learns what “normal” email communications look like within complex organizations. Using historical patterns and behavioral signifiers to understand relationships between internal and external parties, Tessian Defender identifies malicious impersonations before they have the chance to deceive employees. If you’re interested in learning more about Defender or our other Human Layer Security products, sign up for a demo here.

You may have heard of social engineering, but do you know what it is?

Social engineering basics The key difference between social engineering attacks and brute force attacks is the techniques that hackers employ. Instead of trying to exploit weaknesses in security software, a social engineer will use coercive language, a sense of urgency, and even details about the person’s personal or work life to influence the target to hand over information or access to other accounts or systems. 

How does social engineering work? There is no set (or foolproof) ‘method’ that cybercriminals use to carry out social engineering attacks. But, the goal is generally the same: they want to take advantage of people in order to obtain personal information or get access to other systems or accounts. Why? Personal data and intellectual property are incredibly valuable.  While you can read more about the “types” of data that are compromised in this blog: Phishing Statistics 2020, you can learn more about the different types of social engineering attacks below.  Types of social engineering attacks When we say “social engineering”, we’re talking about the exploitation of human psychology. But, hackers can trick people in a few different ways and are always working hard to evade security solutions.  Phishing and spear phishing scams Phishing is one of the most common types of social engineering attacks and is generally delivered via email.  But, more and more often, we’re seeing attacks delivered via SMS, phone, and even social media.  Here are three hallmarks of phishing attacks: An attempt to obtain personal information such as names, dates of birth, addresses, passwords, etc.  Wording that evokes fear, a sense of urgency, or makes threats in an attempt to persuade the recipient to respond quickly. The use of shortened or misleading domains, links, buttons, or attachments. Spear phishing attacks are similar, but are much more targeted. Whereas phishing attacks are sent in bulk, spear phishing attacks are sent to a single person or small group of people and require a lot more forethought. For example, hackers will research targets on LinkedIn to find out who they work with and who they report to. This way, they can craft a more believable email. Want to learn more? We’ve covered phishing and spear phishing in more detail in these blogs: How to Identify and Prevent Phishing Attacks How to Catch a Phish: A Closer Look at Email Impersonation Phishing vs. Spear Phishing: Differences and Defense Strategies  COVID-19: Real-Life Examples of Opportunistic Phishing Emails Pretexting  While pretexting and phishing are categorized separately, they actually go hand-in-hand. In fact, pretexting is a tactic used in many phishing, spear phishing, vishing, and smishing attacks.  Here’s how it works: hackers create a strong, fabricated rapport with the victim. After establishing legitimacy and building trust, the hacker will either blatantly ask for or trick the victim into handing over personal information.   While there is an infinite number of examples we could give, ranging from BEC scams to CEO Fraud, we’ll use a consumer-focused example. Imagine you receive a call from someone who says they work at your bank. The person on the other end of the phone (the scammer) tells you they’ve seen unusual transactions on your account and that, in order to review the transactions and pause activity, you need to confirm your full name, address, and credit or debit card number. If you do share the information, the scammer will have everything they need to access your bank account and even carry out secondary attacks with the information they’ve learned. Together with phishing, pretexting represents 98% of social engineering incidents and 93% of breaches according to Verizon’s 2018 Data Breach Incident Report.  Physical and virtual baiting Like all other types of social engineering, baiting takes advantage of human nature. In particular: curiosity. Scammers will lure the target in (examples below) before stealing their personal data, usually by infecting their computer with some type of malware. The most common type of baiting attack involves the use of physical media – like a USB drive – to disperse malware. These malware-infected USB drives are left in conspicuous areas (like a bathroom, for example) where they are likely to be seen by potential victims. To really drive interest, hackers will sometimes even label the device with curious notes like “confidential” or logos from the target’s organization to make it seem more legitimate.  In an effort to identify who the owner of the USB (or simply because they can’t help themselves) employees often plug the USB be into their computer. Harmless, right? Unfortunately not. Once inserted, the USB deploys malware.  Baiting doesn’t necessarily have to take place in the physical world, though. After the outbreak of COVID-19, several new bait sites were set up. These sites feature fraudulent offers for special COVID-19 discounts, lure people into signing up for free testing, or claim to sell face masks and hand sanitizer.  Whaling attack ‘Whaling’ is a more sophisticated evolution of the phishing attack. In these attacks, hackers use very refined social engineering techniques to steal confidential information, trade secrets, personal data, and access credentials to restricted services, resources, or anything with economic or commercial value.  While this sounds similar to phishing and spear phishing, it’s different. How? Whaling tends to target business managers and executives (the ‘bigger fish’) who are likely to have access to higher-level data.  But, it’s not just their access to data.  Whaling is also seen as an effective attack vector because senior leaders themselves are perceived to be “easy targets”. Leaders tend to be extremely busy, too, and are therefore more likely to make mistakes and fall for scams.  Perhaps that’s why senior executives are 12x more likely to be the target of social engineering attacks compared to other employees. How to defend against social engineering attacks According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 22% of breaches in 2019 involved phishing and other types of social engineering attacks. And, when you consider the cost of the average breach ($3.92 million) it’s absolutely essential that IT and security teams do everything they can to protect their employees. Here’s how: 1. Put strict policies in place The best place to start is by ensuring that you’ve got strong policies in place that govern the use of company IT systems, including work phones, email accounts, and cloud storage.  For example, you could ban the use of IT systems for personal reasons like accessing personal email accounts, social media, and non-work-related websites. You can learn more about why accessing personal email accounts and social media on work devices is dangerous on this blog: Remote Worker’s Guide to: Preventing Data Loss.  2. Educate your workforce Awareness training is key to help employees understand social engineering risks, learn how to spot these types of attacks, and what to do if and when they are targeted.  In addition to quarterly training sessions either online or in-person, organizations can also invest in phishing simulations. This way, employees get some “real-world” experience, without the risk of compromising data. But, it’s important to note that training alone isn’t enough. We explore this in detail in this blog: Pros and Cons of Phishing Awareness Training.  3. Filter inbound emails 90% of all data breaches begin with email. It’s one of the most common attack vectors used by hackers for social engineering purposes, and more.  But, with the right threat management tools, IT and security teams can mitigate the risk associated with social engineering attacks by monitoring and filtering inbound emails.  It’s important that solutions don’t impede employee productivity, though. For example, if a solution issues false positives, employees may become desensitized to warnings and end up ignoring them instead of heeding the advice.  Tessian protects employees from inbound email threats without getting in the way. How does Tessian detect and prevent social engineering? Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks. Best of all, it does all of this silently in the background in real-time and, in-the-moment warnings help bolster training and reinforce policies. That means employee productivity isn’t affected and security reflexes improve over time. To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today.

Over the last several months, “social engineering” has been making headlines more and more frequently. But, before we dive into real-world examples of social engineering attacks, let’s define exactly what social engineering is. Social engineering attacks are a type of cybercrime wherein the attacker fools the target through impersonation. They might pretend to be your boss, your supplier, someone from our IT team, or your delivery company. Regardless of who they’re impersonating, their motivation is always the same — extracting money or data. So, what’s the biggest threat vector for social engineering attacks? Email. Why do hackers do it? According to Verizon’s 2020 data breach report, money. In fact, the rates of financially-motivated social engineering attacks doubled between 2018 and 2019 and continued to increase after the outbreak of COVID-19. In this article, we’ll look at six real-world examples of social engineering attacks — some big and some recent — all using different techniques. We’ll also tell you how to avoid falling victim to these sorts of attacks. 1.  $100 Million Google and Facebook Spear Phishing Scam The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name. The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million. How to Prevent Spear Phishing The Rimasauskas case is a classic example of a spear phishing scam. The attacker hacks or impersonates a trusted person and then “spears” specific individuals.  Spear phishing is more convincing than regular, “spray and pray” phishing because they’re highly targeted. An attacker might also be impersonating someone with whom the target communicates regularly. They may have a near-identical email address, with a very subtle change in the domain name (for example, [email protected] becomes [email protected]–name.com).  You can read more about email impersonation on our blog. Unfortunately, humans — even those working at the world’s most powerful tech firms — sometimes don’t spot small changes. It could be because they’re distracted or over-worked, or it could simply be because the email was a convincing fake. Whatever the reason, it’s important people aren’t left as the last line of defense.  The best thing you can do to prevent spear phishing scams, then, is to implement technology that protects against advanced impersonation attacks like spear phishing.  Tessian Defender’s stateful machine learning technology understands each employee’s inbox inside-out and can detect anomalies in email addresses, body copy, and more. That’s how it distinguishes between safe emails and suspicious ones, alerting the target when a phishing attack occurs. Looking for more resources? These might help.  What is Spear Phishing? Defending Against Targeted Email Attacks What Does a Spear Phishing Email Look Like? Phishing vs. Spear Phishing: Differences and Defense Strategies  2. Deepfake Attack on UK Energy Company In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer. This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”   To learn more about how hackers use AI to mimic speech patterns, listen to Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI at Tessian Human Layer Security Summit. How to Prevent Deepfake Attacks Deepfakes are an emerging threat that could soon become a widespread problem. 74% of IT leaders think deepfakes threaten their organizations’ and their employees’ security. But there are some steps you can take to protect your business from this new type of fraud. Make a habit of verifying telephone requests via another medium, e.g., email or SMS. This is a type of 2-Factor Authentication (2FA) — a security step that you should implement across all channels. If a caller insists that the request is urgent, try to verify their identity in another way —  such as by asking them some specific detail about the office or an event you both attended. Work closely with your IT department to log all suspicious activity and security incidents. For more information about deepfakes, read this article: Deepfakes: What are They and Why are They a Threat? 3. $60 Million CEO Fraud Lands CEO In Court Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls. While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.  How to Prevent CEO Fraud It’s easy to see why CEO fraud is a successful type of social engineering attack. Imagine working late at the office one day. You get an email from the CEO herself, asking you to make some last-minute amendments to an invoice. The tone is urgent, the email looks genuine, and you have a chance to impress the top boss — why wouldn’t you go ahead and do it? CEO fraud is a common form of Business Email Compromise (BEC). Using impersonation techniques, scammers can send emails using your CEO’s display name, or email addresses that are nearly indistinguishable. Alternatively, hackers can hijack your CEO’s email account. Tessian’s machine learning technology knows what your CEO’s emails should look like and can alert employees to tiny differences in email addresses and even subtle deviations from their “normal” tone. Learn more about how Tessian prevents CEO Fraud at some of the world’s leading businesses. Read customer stories here. 4. $75 Million Belgian Bank Whaling Attack Perhaps the most successful social engineering attack of all time was conducted against Belgian bank Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice. Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds. You can read more about whaling here: Whaling Email Attacks: Examples & Prevention Strategies. How to Prevent Whaling In defending against whaling attacks, the same principles apply as when defending against spear phishing and CEO Fraud. In addition to making sure employees – including senior executives – are trained on how to spot impersonation attacks, you need to implement email security solutions to detect and prevent successful inbound attacks.  To learn more about how Tessian bolsters training, reinforces policies and procedures, and stops threats – all without disrupting employee’s workflow – book a demo.  5. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.  The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions. Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts. Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day. How to Prevent Vishing Vishing attacks typically utilize “Voice over Internet Protocol” (VoIP) technology in order to fake their caller ID. Attackers can also use “war diallers” to contact many people in a short period. The attack may start with a recorded message directing the target to call back. The key to protecting your business from vishing attacks is staff training. Ensure your employees understand what a vishing attack might sound like (the caller has an urgent tone or offers unexpected benefits), and make it clear that they should never respond to such a call. You can read more about vishing on our blog. 6. Texas Attorney-General Warns of Delivery Company Smishing Scam Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it. Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details. The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission. How to Prevent Smishing While 96% of phishing occurs via email, smishing is an increasingly serious threat to individuals and businesses. Consumer Reports claims that the Federal Trade Commission (FCC) received 93,331 complaints about fraudulent text messages in 2018 — a 30% increase from 2017. Smishing scams follow the same patterns as other social engineering attacks. Smishing text messages are typically urgent in tone, claiming that the target is in danger or a fine or have been the victim of credit card fraud. Or they may claim that the target has won a prize, or is owed a tax refund. So, how do you avoid falling victim to a scam? In the workplace, security teams should ensure employees exercise the same caution when responding to text messages as they do with emails.  Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS. Prevent social engineering attacks in your organization While we’ve included three tips to help you detect social engineering attacks in this blog: What is Social Engineering? 4 Types of Attacks, it’s important to remember that these scams – whether delivered by email, text, or voicemail, are really, really hard to spot. That’s why technology is essential and where Tessian comes in. Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks. Best of all, it does all of this silently in the background in real-time and, in-the-moment warnings help bolster training and reinforce policies. That means employee productivity isn’t affected and security reflexes improve over time. To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today.