Happy Sunday everybody! So far here in Chi Town we have had above normal temperatures, which is good for us. I will take that any day of the week. As we start out 2021, there is one new theme that has been coming out in the news headlines even more rampantly than I can ever recall: The sheer explosion of Phishing based Emails.
My only thinking of this is that we just got off the Holidays, and we are now approaching soon the tax season (YUK). Plus, we are in the middle of the COVID19 vaccine rollout, and there are plenty of Cyber issues with that going as well.
Now while I have written extensively about Phishing attacks (heck, I even wrote an entire infographics newsletter just based on that) and have even recommended tips and ideas as to how to spot a Phishing Email and the steps that you need to take to protect yourself.
But given the extraordinary times that are in right now, I felt that perhaps a quick refresher into a specific variant of it, known technically as “Business Email Compromise” or “BEC” is further warranted.
So you might be asking what it is all about? Well, it is a type of Phishing Email that asks specifically for money. Of course in the end they all do, but this one is different in that they target (at least on a general level) two different kinds but work-related people.
These namely the CEO (or somebody else in the C-Suite) and their administrative assistant. There are three main types of these kinds of attacks, so here is a breakdown of them:
*The compromising of work login credentials:
In this situation, as its name implies, the primary goal is to literally heist the login credentials of an employee (typically their username and password combination), and from there move into a lateral fashion across the IT and Network Infrastructure of the targeted business. The objective here is to eventually penetrate into the login stuff of the C-Suite, and from there, use that as a bait to send out phony Emails to external, third party suppliers. Typically in these Emails, it will ask the vendor to send a payment (typically stating past due when it may not really be) to wire the money right now. If not, their business contract will be terminated. Of course, not wanting to lose out on the business, the vendor will hastily arrange to send over the required money per the instructions of the Phishing Email, and of course, it will end up in some offshore account of a nation state threat actor. In fact, this has gotten so bad that in a recent survey, over 56% of these third-party suppliers actually fell victim to this kind of attack. More information about this study can be seen here at this link:
But it is important to note here that these kinds of Cyber attacks may not happen in the digital world entirely. For example, the Cyberattacker may first use Social Engineering tactics, in order to lure the administrative (or another lower ranking employee for lack of a better term) and con them into giving access to some location of the company. From there, a backdoor has thus been created for the Cyberattacker to enter into very easily. Keep in mind that once they are in, they will stay in for as long as they want or can, without being detected. They do this by moving one inch at a time, so that no malicious behavior or suspicious activity can be picked up. Then once they make their, then anything at that point can happen, because they now understand to some degree or another, the weaknesses and the vulnerabilities of your IT and Network Infrastructure.
*The CEO Fraud:
In this kind of Phishing attack scheme, an impostor will pose as actual member of the C-Suite of the targeted company. You may be thinking at this point how this can be accomplished, since the administrative assistant should know what their CEO looks like, right? Well actually you are wrong. In many cases, people can still get tricked into this. But the key here is that the Cyberattacker is not actually visiting the actual brick and mortar presence of the business, but rather once again, they are making use of Social Engineering tactics. So for example, a Cyberattacker could reach out to the administrative assistant, and directly ask him or her to send out money to a specified account, which of course is once again a phony offshore account. The tricks that could be used here is the power play one, whereby the Cyberattacker (posing as a member of the C-Suite) could use intimidation to strike the sense of job loss to the administrative assistant if they do not follow out the instructions exactly. Also, given the availability of AI tools today, it is quite possible for the Cyberattacker to even record ahead of time a phone call like this, and making the voice as authentic sounding as possible. And given how everybody is now WFH and virtually, it is highly expected that this kind of threat variant will really take off in 2021.
*Targeting the Finance Department:
In this kind of Phishing attack vector, the Cyberattacker is often targeting the administrative assistants of the Accounting or Finance Department. Using already heisted login credentials (as just previously described), they will send out phony, but very authentic looking invoice for payment. But the only difference is in the routing and account numbers that are used (which once again, are the ones belonging to the phony overseas account). Since the administrative assistant’s are typically busy, they just assume the invoice is real, and do not cross check the validity of either the wire or the ACH information that is used.
My Thoughts On This:
The use of BEC Phishing attacks has become so devastating that according to the APWG Phishing Activity Trends Report, that the average financial loss to a business in Corporate America was pegged at $80,183.00, which represents a 32% increase from Q1 of the same year.
What is interesting about the BEC style attacks is the individual that is targeted – namely the administrative assistants. Normally, the Cyberattacker will go just about after anyone they can that shows a lot of vulnerability, but this group of workers are much more prone to Social Engineering tactics – primarily because of the pressure that they are under, and the fear of job loss if they do not obey the instructions that are sent to them.
The tactics of Social Engineering typically require no malicious links or attachments – all that is needed is a good phone connection and a very authentic sounding voice on the other end. And as a result of this, they often go undetected, because they can very easily fly under the radar. Thus, this is now starting to become the favored launch vector for initiating a BEC attack.
So in the end, what can be done to avoid these kinds of attacks? Keep in mind that there is just one common denominator here – the wiring and/or transfer of money. It does not matter who you are in your company, if you ever get an Email like this or even a phone call, always forward that one to the IT Security team and the relevant department in your company.
In any invoice that has to be paid or any money that is requested, there must be an irrefutable paper trail that has been created in the process. This is the only proof positive that a request for a money transfer is legitimate. Although it may take some time to do this, after all, if there is no such paper trail in existence, then you can be almost certain that you could become a victim of a BEC Phishing attack which and be avoided by doing these simple checks.
There is yet another reason to take the time to this: If you fell victim to this kind of scheme, and actually initiated the wire transfer, you could still be held to a certain degree legally responsible as well, because you have now become what is known as a “Money Mule”. More about this in a future blog, so stay tuned for it.