The FBI this week published a statement warning of a “dramatic rise” in business email compromise scams, also known as CEO fraud scams, which spoof company emails to pose as the company’s CEO, a company attorney, or a trusted vendor, and target employees who manage money, frauduently requesting wire transfers.
“Victims range from large corporations to tech companies to small businesses to non-profit organizations,” the FBI stated. “Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.”
From October 2013 to February 2016, law enforcement received reports from 17,642 victims of such scams, with total losses of more than $2.3 billion.
Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
Andrew Komarov, chief intelligence officer at InfoArmor, told eSecurity Planet by email that C-level executives make particularly attractive targets for these types of attacks. “Typically, such victims may have a low level of security awareness, and use many devices, including mobile, which have different levels of security,” he said. “This makes them vulnerable to targeted attacks, mostly through phishing and drive-by download attacks organized from ‘spoofed’ sources to look like trusted accounts.”
And Paul Jespersen, vice president of enterprise business development and emerging products at Comodo, said by email that these attacks are far more targeted than the generic phishing schemes of the past. “They… use social engineering, public information and social media to send convincing emails from what appears to be a trusted executive, attorney or associated vendor asking for wiring of a reasonable amount of money — as not to raise red flags,” he said. “They put in this effort because they know that people are likely to fall for these well-executed schemes if they can be made to believe they are authentic requests.”
Proficio president Tim McElwee suggests taking the following steps to protect yourself:
- Internal education – undertake organization-wide phishing awareness training and ensure finance department personnel are familiar with this type of scam.
- Require validation of new banking information with trusted accounting contacts at suppliers and business partners.
- Identify lookalike email domains that could be used by scammers in the above scenarios and create email filters to treat these emails as spam.
- While you could also block the source IP of the attack, expect that future attacks will come from a different IP address.
A recent Mimecast survey of 436 IT experts in the U.S., U.K., Australia and South Africa found that 67 percent of respondents had experienced an increase in attacks designed to initiate fraudulent payments since January.
“Email remains a highly popular attack vector for cybercriminals, for good reason: it is one of the most direct paths to entry into the enterprise, and it relies heavily (and all too often, successfully) on human behavior to assure initial penetration,” 451 Research information security research director Scott Crawford said in a statement. “This means that attackers will continue to prioritize email — and defenses must level up accordingly.”