It's tempting to think that you'll never fall for a phishing email attack. But the bad guys have lots to work with. Social media, dating apps and past data breaches have all become resources email scammers are exploiting to craft schemes that can fool businesses into giving up millions.
"We are setting ourselves up for our data to be used against us," said Anne Connell, a cybersecurity engineer at Carnegie Mellon University's Software Engineering Institute, who spoke at RSA.
Connell has been researching a specific threat called business email compromise or CEO Fraud, which involves the scammers tricking companies into wiring them a large sum of money. To pull this off, the scammers will impersonate a company executive or a trusted supplier. They'll then send off legitimate-looking, but ultimately fraudulent emails requesting a wire transfer from an unsuspecting staff member, like a secretary, accountant or chief financial officer.
In many cases, the attacks can work. In 2017, the scams resulted in $675 million in losses for US businesses, according to the FBI.
Why the attacks remain a persistent threat is because they're easy to launch. But that doesn't mean the scammers aren't doing their homework. According to Connell, the scammers have been refining their attacks with the help of online public data. By conducting searches on platforms such as LinkedIn, Facebook, OkCupid and Tinder, the attackers can learn more about a potential company employee they wish to impersonate.
(Credit: RSA Conference.)
Connell pointed to a 2015 case involving a Nigerian citizen who successfully phished one company in Texas by learning details about its CEO over Facebook, and then impersonating him. "(The attacker) knew who his secretary was, knew who the business administrators would be, and put a lot of detail into the email," she said. "They knew from (the CEO's) Facebook page that he coached his daughter in soccer games. They added that into the email to make it more valid."
Since then, the email scammers have upped their game. In 2018, investigators arrested 74 people, who were all allegedly part of a business email compromise operation targeting hundred of victims. Specifically, the scammers had created a hit list of 200 chief financial officers to phish with fraudulent wire requests. Why they chose these CFOs was because none had previously suffered a business email compromise attack before, Connell said.
In other cases, the scammers will research companies for employees who work from home, and thus have little interaction with other staff, making them more susceptible to a potential attack. "They're really looking into who's the best person to hit, what they're role is," she said.
To research their targets, the scammers will look up company webpages for lists of employees. They can also tap digital black markets on the Dark Web to find additional information on their victims in past data breaches.
The scammers are also well aware about how US law enforcement works. According to Connell, sometimes they'll steal just under $25,000 from victimized organizations. Any more crosses a threshold that can require a local attorney general to investigate the fraudulent wire request if it's been reported as a crime. "So repeated attacks for smaller amounts, amount to something that they (law enforcement) might not investigate," she added.
Connell told PCMag that going forward the attacks will only get worse. According to her research, local authorities are swamped with complaints about business email compromise schemes. "Not only are they (the attackers) going after CEOs," she added. "They are now hitting small and medium businesses."
To ward off the threat, Connell recommends businesses educate their employees about the threat and implement safeguards around sending wire transfers. For example, employees should phone their CEO before approving major fund transfers.
"If you can't reach the people that can verify, wait until Monday," she added.
Businesses can also consider using email providers that have clearer warnings about suspicious email messages, like those that come from non-company internet domains. "You could solve this with better UI (user interface)," Connell said. The FBI has more tips here.