Business email compromise (BEC) is generating huge sums of money for criminals but not getting as much attention as ransomware.
Recently, in Singapore, reports have revealed more people falling victims to phishing scams.
A 7% increase from January to June 2019 – to a total of 692 cases and SGD2.2 million in losses – have been reported, with the largest amount in a single case totaling S$82,120.
Most recently, supermarket group Sheng Siong issued a scam advisory to the public warning of an SMS that was sent out in its name, which notified customers of a fake “August Draw” win. Companies such as SBS Transit, Lazada and Singapore Airlines are also warning consumers to be on their guard against online scams which are using their brand names to try to dupe victims for money.
Such scams are just one of the ways cybercriminals make profits. As a result of that, the Singapore Police Force has set up a new Anti-Scam Centre (ASC) within the Commercial Affairs Department with the focus of disrupting scammers’ operations and help mitigate victims’ losses.
While cybersecurity awareness has increased, people are still falling victim because cybercriminals have stepped up their game. We can no longer rely on the obvious tell-tale signs of phishing from the past, such as spelling mistakes, wild promises, unbelievable threats or messed-up web pages.
Such phishing scams apply to the corporate world as well. Business Email Compromise (BEC) is another big money machine for cybercriminals. Combining social engineering with phishing techniques to trick targeted individuals at organizations into transferring funds or data, common approaches include hacking email accounts, spoofing the email addresses of senior executives, compromising trusted supplier emails, and spoofing bank and lawyer emails.
BEC is generating huge sums of money for criminals but not getting as much attention as ransomware. John Shier, Senior Security Expert at Sophos, addresses this topic with CybersecAsia and share the changing face of phishing scams, as well as what businesses can do to avoid phishing scams and minimize risks from BECs.
How have phishing scammers upped their game recently?
JS: Largely gone are the days of poor grammar, bad spelling and unknown brands. For some time now phishing crews have been blasting out emails that impersonate large global brands or well-known local businesses as a lure. They have also made considerable steps towards improving the quality of the messaging itself by employing local translators to ensure the emails include proper grammar, spelling and colloquialisms.
One thing that is a step beyond normal phishing is something called thread-jacking. This involves attackers using valid stolen credentials to log into an account and replying to existing conversations, often with a malicious attachment, to benefit from the implicit trust of the source. This is phishing on steroids and is often used in BEC scams.
Simple reliance on detecting a phishing email is not enough anymore. A combination of user awareness and technology is needed to combat modern phishing.
Additionally, organizations need to measure not only click rates but also reporting metrics. While click rates allow you to determine where your training efforts need to be concentrated, early reporting gives the security team a head start in investigating and hopefully containing a phishing campaign.
How serious a problem is BEC?
JS: According to several sources, BEC is a multi-billion-dollar scam. When numbers are this high, cybercriminals tend to double down and wring as much money out of victims as possible until the scam stops working. This kind of revenue also allows cybercriminals to up their game considerably by increasing the quality of these scams.
Last year, the Pathé cinema chain was scammed out of €19 million over the course of several months. The CEO and CFO discussed the first transfer instructing them to transfer more than €800,000 and considered it strange but neither concluded that it could have been a scam. Subsequent transfer requests were also processed without question. It was only when head office contacted them about the transfers that the penny dropped.
While this example involves an enterprise and large sums of money, cybercriminals are just as likely to scam many small businesses where losses can have a greater impact.
What should enterprises be aware of to counter these threats?
JS: Knowing the threats exist is definitely a good start. The most important thing though is that organizations need to know that these threats can hit any of them at any time.
While certain highly skilled attackers do discriminate based on victim, most cybercriminals do not. Therefore, planning for and understanding the effects on your business of a cyber-attack (of any kind) will go a long way to ensuring that the response is appropriate and effective.
What tools and techniques should enterprises employ to protect against such threats?
JS: At the very least you will need technology to prevent, detect and remediate threats of all kinds, keeping in mind that certain tools are better at protecting against specific threats. For example, while machine learning is exceedingly good at detecting mass quantities of malware variants, it is unable to detect exploit driven attacks.
Therefore, using a solution that can provide you with both will more effectively protect your business against more of today’s threats.
In the case of phishing and BEC scams, you will also need to employ non-technological means to protect your business. In the case of BEC scams, a change in business processes can detect and prevent this threat. For example, what makes this scam so frustrating is that it can easily be avoided with a simple telephone call.
Yet most organizations that fall victim to a BEC scam do not have this process in place and therefore are unable to prevent it.
With cyberthreats evolving in sophistication, how do we stay future-ready in cybersecurity?
JS: Cyberthreats are evolving because we, the defenders, have forced the attackers to evolve. Continuous education, vigilance and adoption of innovative technology coupled with an evolving set of business procedures will continue to increase the cost to the attacker.