Phishing and spoofing: The scary state of impersonation on the web

In 2017, the FBI reported that their Internet Crime Compliance Center (IC3) received a total of 301,580 complaints related to Business Email Compromise, Ransomware, Tech Support Fraud and Extortion. These complaints were associated with over $1.4 Billion in financial loss and represent a 25% increase in financial loss over the $1 Billion reported in 2015. Sadly though, these figures are only associated with known incidents and not the potential thousands that were not reported to the FBI.
 
Just in the month of October 2018, which we are currently in, the following high-profile reports have come out:
 

  • The Henderson, Texas school district was the victim of a business email compromise (BEC) attack that resulted in the loss of over half a million dollars for the district. The district issued an electronic payment of $609,615.24 to a construction company which was overseeing work for the district. However, the construction company’s credentials had been compromised. The online payment did not go through to the construction company but rather went to a fraudulent account.
  • A grand jury in Pennsylvania indicted members of the GRU for conducting persistent and sophisticated computer intrusions against U.S. persons and corporate entities. One such attack involved creating a fake Westinghouse Electric domain and sending spear phishing emails to company employees’ work and personal email accounts, which were designed to harvest the employees’ log-in credentials.

 
There is often a lot of overlap between phishing, BEC and spoofing attacks. Our goal in highlighting how they interact in the vignettes below is not to sow fear, uncertainty and doubt. Instead, our goal is to highlight how frequent these email attacks are and how easy it is to fall victim to one of them. As such, falling for one of these schemes is not a reflection of intelligence as very bright rocket scientists in the Westinghouse scheme noted above were fooled.  We hope that by highlighting these incidents, IT leadership will be encouraged to take action to improve email security.
 

Business Email Compromise

 
Business email compromise (BEC) occurs when an attacker gains access to a corporate email account and spoofs the owner’s identity. In other instances, a criminal might also create an account with an email address that is similar to one on the corporate network. BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives.
 
According to the SEC, in 2017, BEC ranked as the top cause of estimated losses linked to any cybercrime. Business email compromises have been responsible for more than $5 billion in losses since 2013.
 

 
The FBI is deeply involved in investigating frequent BEC attacks. One recent example, Operation Wire Wire, was noted on their website in June 2018.  The fraudsters’ attack was designed to hijack wire transfers from businesses and individuals through sophisticated email scams. As a result of the FBI investigation and prosecution, 42 people in the United States and 29 in Nigeria were arrested for alleged financial fraud. The operation also resulted in the seizure of nearly $2.4 million, and the disruption and recovery of approximately $14 million in fraudulent wire transfers.
 
Unfortunately, the FBI’s actions in this sphere represent but a drop in the massive ocean of fraud.
 

Email Phishing

 
While BEC is the most lucrative form of email attack, phishing is the most common form.  There is quite a bit of overlap between BEC and phishing. Phishing emails attempt to enable the attacker to masquerade as a reputable entity in email with the goal of tricking the recipient into doing something such as clicking on a link which would lead to giving up their password or downloading malware. If the email recipient gives up their password, the phishing attempt can enable the attacker to conduct BEC.
 

 
In May of 2018, the Internal Revenue Service warned tax professionals about a new ruse in which  criminals masqueraded as state accounting and professional associations in order to send fake emails to tax professionals. Those messages asked recipients to disclose their email usernames and passwords so that they could obtain access to the tax professionals’ accounts, steal their clients’ data, and either sell this information or use it to file fraudulent tax returns.
 
Examples such as this one  occur with alarming frequency. According to statistics from 2017, 67% of organizations have received a phishing attack at an average cost of $2.7 Million per attack. Of most importance in these numbers is that companies are facing thousands of attacks throughout the year, which serves to multiply the impact of a single attack.
 

Email Spoofing

 
Spoofing attacks masquerade as legitimate messages by creating a forged sender address or header to make the email appear legitimate. These attacks will also often leverage phishing or BEC techniques to reach their goal of defrauding recipients.
 
For example, a spoofed email might forge the header and then employ phishing techniques to  encourage recipients to click on a link inside the message that. When the link is clicked, it will redirect the message recipient to a spoofed website. The goal is then to get recipient to respond to the request on the spoofed website and divulge information.
 

 
One high profile example of spoofing attempt began in December 2017, featuring email headlines claiming that Paypal “couldn’t verify your recent transactions” or that “Your payments processed cannot be completed.”  Reports noted how the links in the messages took recipients to a fake PayPal landing page. It emulated the look-and-feel of PayPal’s site, then asked unwitting victims to supply their home address and credit card information — all under the guise of stealing user’s account credentials.
 
Given that we cannot do without email, we are left wondering how we can ever be sure if our emails are secure.
 

How can we stop the imposters?

 
While the potential impact of email attacks might not surprise us, the ease with which duplicitous messages can trick high level executives  and brilliant scientists out of their user names and passwords, access codes or other important financial information should highlight the scary state of impersonation on the web. Anyone can become a victim.
 
It behooves us to find a successful way to combat this level of impersonation. Without a change in methods, attacks will continue to be successful.
 
PreVeil’s recent introduction of its Trusted Communities module ensures that high risk user groups are insulated from these types of Phishing and BEC attacks. Emails sent or received through PreVeil’s Trusted Mailbox cannot be spoofed, phished or compromised. Trusted Communities enables IT admins to build a whitelisted group from the ground up so only trusted individuals can send and receive messages from the group.
 
Scared by the challenge of securing your company’s corporate inbox? Learn how Trusted Communities can help.