You’ve heard the rap – Bitcoin, overpriced stocks, Ponzi schemes – there’s always a new “get rich quick” strategy out there, but most successful business people (and IT experts) know that if something’s too good to be true, it probably is. Unfortunately, in the case of fraud, what’s most dangerous is not the one that promises you more, but the one that tries to sneak into your to-do list.
Targeted Phishing scams fit this definition, and are exactly the type of fraud that every IT person should know how to stop. They are also known as “Business Email Compromise” or BEC, and according to the FBI businesses have lost nearly $5.3 Billion since 2015 alone to these types of attacks by sending phony invoices, changing wiring instructions or other means of diverting funds, and actually stealing huge payments in the process!
So, while users in businesses may once in a while fall for too-good-to-be-true schemes that lose a company money or compromise their network (and feel like an idiot as a result), inadvertent diversions of funds are difficult to detect even after they’ve occurred. They’re the most dangerous fraud today not only because of how effective they can be, but also because of the frequency with which they seem to take place in every type of business. Nearly 400 different businesses were targeted by BEC and Targeted Phishing Scams every day in 2017, and by all indications that average has only increased thus far this year.
Old Wine in New Bottles
Similar to conventional false billing scams that are still common through mail today, targeted phishing scams look for dollars or access to high-value email accounts within your business. Sent through “requests for payment” with fake invoices via email, targeted phishing scams use, familiarity, urgency and inattention to take advantage of businesses and their employees, and are becoming a formidable challenge for IT specialists.
Fundamentally, targeted phishing is possible because of issues with the structure of email. While spam can often be identified on the basis of recognizable spam content, IP address or domain age and other signatures, targeted phishing is a subtler attack that can use “lookalike” domains, spoof “header from” email addresses or even mismatch reply-to addresses with seemingly legitimate “header from” addresses.
There are a variety of cases where targeted phishing has been successful, like when one Washington D.C. couple lost over $1 million to a title agency’s compromised account, only to turn around and sue the agency, or where Facebook and Google were together bilked out of $100 million by a Lithuanian man posing as a Taiwanese electronics manufacturer. The amounts and audacity of these attacks may vary, but the methods of the perpetrators are strikingly similar.
What’s Inadequate About Conventional Email Filtering?
Most solutions already deployed by businesses fail to account specifically for these tactics in order to weed out malicious messages. Protocols like SPF and DMARC may help prevent these in some cases, but realistically they are built for general message authentication and to stop large-scale credential phishing, not to weed out targeted attacks that take time to set up and groom. Just like when Hollywood villains plan to rob a bank, these are processes that can typically require weeks or months of reconnaissance, including bulk mail attempts, testing of an organization’s user email structures, phrasing, signatures and security infrastructure, along with extensive collection of details or processes that need to be followed in order to get away with a scam clean.
What’s more, attackers may also leverage compromised accounts within whitelisted domains or organizations using O365 and other cloud email services, changing their appearance to that of a conventional password-reset emails and then compromising more accounts. Eventually, as attackers continue to do this, they use one compromised account to generate more compromised accounts, until they find accounts that authorize and direct financial transactions, changing wiring instructions to offshore accounts that they control.
Your conventional spam filter is built to score and weed out emails based on recognizable waves of unwanted or malicious content, but these all have common links among them (like the aforementioned IP address and domain age), but targeted phishing can drive tens of thousands if not millions of dollars in revenue from a single attack, so attackers are willing to park and age substantive lookalike domains (Think Walmart.com, but with an upper-case “i”) in order to bypass traditional filtering methods.
Thus, these attacks rely on deceiving users and engineering their behaviour, which use very specific sets of tactics and strategies like identifying lookalike domains along with the phrases and keywords that are often included in targeted phishing or BEC scams (like “urgent transfer required”). Benign-seeming Office documents could also be leveraged as fake invoices, further complicating the matrix of identifiable content that can be used to stop targeted attacks while also letting legitimate requests through.
Attackers Keep Moving the Goalposts
Of course, simply stopping urgent invoice requests and other key phrases or mail envelope fraud tactics isn’t enough. As filtering and protection improves, attackers update their techniques. For instance, cyber security experts often recommend “multi-factor authentication” before following up on unexpected requests.
In more direct language, this means picking up the phone and calling somebody to make sure a fund transfer request you received from them is legitimate. Attackers have picked up on this, and now they not only get fake invoices looking as legitimate as possible, but also follow up with phone calls pretending to be foreign suppliers or known-but-unfamiliar vendors to verify what is actually a fraudulent transfer.
In the course of a busy day, how can employees sufficiently modify their behaviour? The truth is, they can take small steps, but it’s better that security is specialized to those who can do the most about it, and when it comes to email that falls squarely on the IT admin’s broad and ready shoulders. However, as attackers move these “goalposts” and adapt to new protection methods, how are you supposed to choose a solution that makes your job easier as well?
Prevention Requires Specific Solutions
It’s not only the known tactics that you need protection against, but the unknown and yet-undiscovered ones as well. In looking for a solution, consider ones that leverage the power of cutting-edge machine learning technologies to recognize and discover commonalities between billions of malicious messages delivered every day. Thus, as something new emerges or occasionally gets through, your protection is always able to stop it – even if it’s part of the latest headline-making, soul-destroying cyber attack.
In the past, many email protection providers may have thought of email filtering as a one-size-fits-all solution, meant to be “set-and-forget” and function at near 100% efficiency while limiting the participation of IT stakeholders. Time has proven this approach to be imperfect, as the latest explosion of email attack frauds, styles and vectors has put IT admins and cybersecurity specialists on their heels.
In our view, the only response that creates a sufficiently secure environment for end-users and organizations is tactics-focused, BS-wary vigilance that ultimately drives down the profits of fraudsters everywhere. When looking for a solution, look for one that addresses the specific attacks that need to be stopped, or we may just have to remind you of what we’ve always said before – if it’s too good to be true, it probably is!
Mike Petsalis, CEO of Vircom
Image Credit: wk1003mike / Shutterstock