Phishing The Phishers

Phishing The Phishers: This is How the Number One Cybercrime Works

By: Ronnie Tokazowski, Principal Threat Advisor & Brad Haas, Cyber Threat Intelligence Analyst

How many phish does it take to get to the sugary story of the BEC (Business Email Compromise) attack? That’s exactly what we wanted to find out.

Contrary to many other types of cybercrime, BEC is a conversational-based phishing attack. Scammers simply ask users to do a favor or run that errand, and the person on the other end does just that. BEC actors can use many different pretexts to phish end users. It can be anything from pretending to be the CEO in an organization to asking someone to update payroll or even asking for gift cards for an employee. While many of these tactics are already publicly known, there’s still some confusion about how all these different pieces work together.

Do people become victims after the first email or do the scammers need to have a conversation with the victim?

That’s what we set out to discover in our most recent BEC study.

Phishing The Phishers: What We Found

We wanted to engage with the scammers and understand how these conversations worked. In hundreds of email threads, we did just that. We responded to the scammers, tracked all of our responses, and tried to gauge just how many conversations it would take to draw different conclusions.

How likely were the scammers to respond back and how many emails did it take to illicit the final pretext?

Based on the hundreds of responses to the scammers, we received responses in 58% of attacks. Many email accounts were taken down by service providers prior to engagement or we simply just didn’t receive a response from the scammers.

Of those 58% of responses, 89% of the phishers told us what they needed after our first response. In many cases this was gift card requests with the initial pretext of “I need you to run this urgent task” or “can you send me your phone number” with no other information. Once we responded back, the scammers came back and said the task was to go to the grocery store and pick up a gift card.

There is a lot more to this study than we could fit in this blog. So, for the rest of our insights from this study, here is a detailed Threat Intelligence analysis breaking down everything we discovered including examples of emails we received from BEC threat actors and percentage of webmail providers utilized.

BEC Insights: The Need for Better Business Controls

Author: Tonia Dudley

In our 2022 Annual State of Phishing Report, we observed the Business Email Compromise (BEC) threat category inch up from 6% to 7% of overall threats, with the Healthcare sector still leading the way at 16%. With increased attention and speculation around BEC, otherwise known as CEO fraud, Cofense CTO & Co-Founder, Aaron Higbee, BEC specialist and Principal Threat Advisor, Ronnie Tokazowski, and myself sat down to go in-depth on our findings and insights around this threat.

One of the highlights from this webinar was a new tactic we recently observed at Cofense related to direct deposits. As you can see from the message below, this threat actor leverages what many companies use as a best practice, utilizing self-service to update direct deposit information, making this tactic more effective.

This is just one of many samples highlighted in the webinar. Below is a brief list of takeaways and topics discussed. You can hear the entire discussion on demand, plus register for additional annual report webinars on topics such as Secure Email Gateways and Ransomware.

Key Takeaway #1 – Evolution of the Threat

In late 2015, Cofense first wrote about BEC as we ourselves observed our CFO received a spoofed email from our CEO, Rohyt Belani, asking for a wire transfer. As we continue to follow the tactics related to this threat, as with any other threat, threat actors have constantly adjusted their templates to minimize the detection of the secure email gateway (SEG) and spam filters. Many of the conversational starter emails are quite vague and take 2-3 follow emails to lure the recipient to execute the desired task (i.e. purchase gift cards).

Key Takeaway #2 – Top BEC Threats for Enterprise

We dig a bit deeper into each of these topics on the webinar, but these are the top themes we have observed related to BEC.

  • Invoice Fraud – this isn’t surprising as we continue to observe this is a top theme for threat actors to gain access to one of their top objectives – MONEY.
  • Thread Hijacking – nothing adds more creditability for a recipient to interact with a threat actor than an email chain that appears as three threads deep into a conversation.
  • Gift Cards – while this threat tends to be small in currency, it tends to cost the employee directly as they’re unable to get reimbursed for this inadvertent purchase. Threat actors tend to make their request for gift card brand based on the exchange rate on the bitcoin marketplace.
  • Direct Deposit – also known as payroll diversion, where the threat actor attempts to redirect your paycheck to their bank account instead of yours.

Key Takeaway #3 – Ways to mitigate against BEC

We closed out the webinar with a few quick actions you can take to help protect your organization against this threat.

  • Education. While we promote the optimal way to train your employees against phishing threats is phishing simulation campaigns, this threat is a bit more difficult to train using this methodology. When it comes to BEC, use your security awareness newsletters to include this topic, as well as real email images observed by your organization. By sharing a real email, it makes the threat real to your users.
  • CEO Messaging. Ensure that your users understand that your executive team isn’t going to ask them to get gift cards to award clients or their family members. Be sure to include this in your New Hire Orientation (NEO) onboarding as this group of your employees are likely to be as familiar with your business practices or executive team.
  • Implement and Enforce business process changes. When it comes to BEC, victims of these threats are all linked back to a breakdown in business controls to prevent large amounts of cash to be sent out of the organization.

5 Tips to Thwart Business Email Compromise (BEC) Attacks

Author: Ronnie Tokazowski

For the 7th year in a row, Business Email Compromise (BEC) is the number one cybercrime, as reported by losses, according to the FBI IC3 Report. Topping in at an astonishing $43 billion dollars with victims in 177 countries and money being wired between 140 different countries, it still amazes me that people are more concerned about ransomware and nation-state attacks instead of murderous BEC actors killing in the name of evil spirits.

To add insult to injury, the same actors behind BEC are responsible for $100 billion in SBA fraud and $80 billion in paycheck protection plan (PPP) fraud. This doesn’t even begin to touch the dozens of consumer-based crimes such as check fraud, advanced-fee fraud, or romance scams, with over $223 billion now tied back to the exact same scammers.

And that’s just what we know.

Reflecting on the seven years of tracking BEC, there’s one major lesson that organizations fail to do. It has nothing to do with a shiny box, has nothing to do with buying or selling a service. It’s literally reviewing what you already have.

Here’s your BEC checklist that will mitigate 80% of attacks:

  • Review your financial processes and procedures
  • Define how wire transfers, gift card purchases, and direct deposit requests work
  • Once defined, communicate & follow the process

Most BEC attacks are successful simply because a process breaks down. Someone wired money without checking if they should, a random phone number led to gift cards being sent out, or HR made a one-time exception to update payroll via email instead of pointing employees back to employee portals. The 80% solution to mitigating many types of BEC attacks is simple: review your processes around how wire transfers, authorizations to vendor master bank account updates, money orders, gift cards, and invoices are to be paid and follow them.

Here are five tips to get you started on which processes need to be updated:

  1. Maintain a list of known and trusted phone numbers to verify wire transfer requests.
  2. Don’t accept payroll update requests via email. Point users to employee portals to make the changes there.
  3. Establish a gift card purchasing process, and if no one needs to purchase gift cards for the company…then no one purchases gift cards.
  4. Bank accounts rarely change, so clearly define what bank accounts can be used at the beginning of any business relationship. If an account needs to be changed and updated, who is responsible for verifying the new account with an external party? Implement a freeze period to the account update to ensure the bank can verify ownership details.
  5. What is the process for wiring $10,000 / $50,000 / $100,000+ dollars out of the organization? Define and follow a multi-person process to verify transactions before money gets lost.

While updating processes won’t cover every single BEC use case, a vast majority of attacks can be thwarted with these simple changes. Is it better to take a week to do the boring work of reviewing your processes and procedures or be an unhappy part of the $223 billion dollar statistic?

If you want to learn more about BEC statistics that we observed in 2021, as well as ways to mitigate this attack, sign up for our next webinar focused solely on BEC attacks.