Business email compromise (BEC) attacks have become the most lucrative form of cybercrime for increasingly meticulous, strategic criminals – and forthcoming changes in Australian banking settlements will turn local businesses into globally appealing targets, a security executive has warned.
The changes – which from January will see banking settlements completed in near real-time thanks to the Reserve Bank of Australia’s New Payments Platform (NPP) – will remove settlement delays that have, in cases such as that of Mattel, saved numerous companies from losing millions because they can cancel transfers to BEC fraudsters before the money is lost.
Once money can move from one bank account to another within 15 seconds, as it will be under the NPP regime, it can easily be moved into dummy accounts and disappear before victims even know they’ve been taken for a ride, warns Tim Bentley, ANZ managing director of security firm Proofpoint.
“Without any question, the most lucrative type of cybercrime for actors is Business Email Compromise,” Bentley explains. “They make more money doing this than anything else – and they’re all money-motivated, so you can expect cybercriminals to have huge innovation around this area. They will get more and more sophisticated, and at a more rapid pace.”
Figures reported to the Australian Cybercrime Online Reporting Network (ACORN) suggested that Australian businesses had lost more than $20m due to BEC attacks during 2016-17 – up from $8.6m the year before. In the US, the FBI’s Internet Crime Complaint Center (IC3) has pegged the problem at more than $US5 billion since January 2015.
These figures represent the tip of the iceberg as losses are self-reported and underreporting is also likely to be common. But they give an idea of the extent of a fast-growing problem that, Bentley says, is being facilitated and even encouraged by poor education about BEC and oversharing on social media by employees and executives that never suspect they might be targeted by fraudsters.
“The whole point is that malicious actors are targeting human weakness and the trust employees place in email communication,” Bentley explains. “It is identity deception at its best: these emails are highly targeted and very well-researched to look incredibly legitimate.”
“They typically come from someone with authority within the organisation, asking a colleague to action an often-urgent request, whether it’s paying a supplier invoice, making a wire transfer or sending confidential information. It is devastatingly efficient.”
This short video highlights the top trends in email attachments, social media posts, and URLs.
It will walk you through key statistics in The Human Factor report to reveal not only who is clicking what, but also how threat actors are exploiting the human factor, with special attention to how this affects the Australian marketplace.
The Australian Cyber Security Centre (ACSC) Threat Report 2017 relays the series of events that led to one Australian company losing over $US500,000 ($A631,500) to BEC fraudsters.
In this case, the adversary posed as both the CEO and COO of a large business. The first email came from the CEO, asking the financial controller to perform a wire transfer while he was travelling for work and unable to be contacted for verification. A second email, allegedly from the COO, was sent to the same financial controller with a doctored email chain that appeared to substantiate and approve the transfer.
In other cases, user credentials were taken and used to temporarily set up email filtering rules that forwarded legitimate invoices from clients and contractors to the bad actor’s accounts; these were modified with other bank details, or formal change-of-banking-detail notices sent to the target company.
Whatever the tactic, BEC attacks represent a significant threat for any company. By using a multi-factorial attack – leveraging all kinds of information about the target’s whereabouts, movements, holiday patterns, or special interests – fraudsters can paint a convincing reason why their victims should comply. Once that has happened and payments are transferred using NPP, the money may well be as good as gone.
Technological assistance. Despite the ubiquitous threat from BEC, many companies are still yet to formalise their employee and executive education about the problem. Fewer still are setting up formal programs to test their staff’s ability to pick up on BEC styled emails – a glaring omission given that a recent Proofpoint survey found that 75 percent of the more than 5,000 surveyed enterprises had blocked at least one BEC attempt during the last quarter of 2016.
Because BEC relies heavily on spoofing of an authorised executive’s online identity – two-thirds of the BEC attacks against surveyed companies spoofed a legitimate email address – one significant step to fight such attacks is to implement Domain-based Message Authentication, Reporting & Conformance (DMARC) anti-spoofing capabilities, which impose filtering and acceptance policies on incoming email.
DMARC has proven highly effective at blocking incoming fraudulent emails, but longer-than-expected implementation times have seen few Australian businesses actually complete their rollouts. A recent audit of ASX 100 companies found that just 27 had adopted some form of DMARC – and of those, 23 were running in a ‘monitor’ mode that does not actually block mails but tags those with suspicious provenance.
Other tools are applying email filtering, scoring, and machine learning (ML) approaches to more intelligently pick up on the tell-tale signs of BEC emails that are often written in perfect English, look legitimate and have no payload. Keywords like ‘payment’ were found in 30 percent of the subject lines of BEC emails, while ‘request’ (21 percent), ‘urgent’ (21 percent), ‘greeting’ (12 percent), and FYI (5 percent) were also frequently observed.
By learning patterns in the usage of these and other words, intelligent systems can flag potentially fraudulent emails with increasing accuracy. They may also incorporate additional factors that correlate with the likelihood that an email is a BEC attack: for example, Proofpoint’s Human Factor Report found that emails with malicious attachments spiked on Thursdays and were all but absent on Sundays.
Australian users, Bentley added, are often targeted by northern-hemisphere scammers who try to time message delivery into inboxes that are often read and quickly acted upon at the start of the day. If transfers are effected urgently, the money could be gone by lunchtime.
The human factor. Ultimately, the success of BEC attacks reflects scammers’ ability to exploit weaknesses in humans that should rightfully be more sceptical about transactions involving large amounts of money. However, the spoils of social-media scanning and long-term monitoring of a target’s movements help criminals present a convincing front that is continuing to make them successful in exploiting human weaknesses.
To avoid this, says Bentley, companies need to run regular employee awareness training – not only around cybersecurity issues, but around issues of financial governance and business processes, so employees understand how they may be targeted by online scammers.
Companies should also tighten approvals processes for large payments, implement delays on transaction fulfilment, require phone verification from executives approving financial transactions, add controls around processes such as changes to supplier account details, and tighten any other control that could be exploited to ill effect.
“We often rely on our gut instincts to spot that something is not quite right,” Bentley says – for example, that a normally-polite employee never says ‘thank you’ in an email, or that an email that comes out of the blue from people that you don’t normally interact with. “However the level of sophistication behind BEC emails is so high, the clues that are left behind need a magnifying glass to find them,” he explains.
With NPP closing the window to potentially cancel a fraudulent transaction before it’s discovered, businesses will need to be ever more vigilant for human-targeted scams well before any money changes hands.
“With NPP being introduced at the end of January,” Bentley says, “we will know very quickly what the coming months will look like. But Australia is trusting, affluent, and English speaking – which is why we may become the lowest apple on the tree for criminals to pick.”