Beyond Basics: Impostor Email Attacks
In 2015, the FBI first warned about the growing trend around business email compromise following an attack that made headlines when
an accountant with a large enterprise wired $480,000 to an account in China after “receiving an email from the CEO.” Nearly two years later, the FBI named BEC as one of four “Hot Topics,” and they reported more than $5.3 billion in losses due to BEC – impacting more than 40,000 organizations around the world.
The success of these attacks is based on the simplicity of the email that is sent. Unlike the broad blast “campaigns” that rely on “one in
a million” success odds, impostor emails are highly targeted, well-researched and expertly crafted, with simple email messages that appear to come from the CEO or other authority, and the employee is researched and targeted based on his or her role in the company.
Often, these emails do not include any of the hallmarks of a traditional phishing campaign – their simplicity and low volume renders most email security infrastructure useless. In addition, training employees to avoid these kinds of attacks is not sufficient, as the quality of the emails makes them difficult for even experts to detect, and training results diminish over time. The emails are typically text only – one or two lines – and appear to come from the CEO or some other authority. Examples include:
• “Please send me your collections account list – along with contact details. We are meeting with our auditors and I need the latest numbers this morning.”
• “I need you to pay Acme ASAP or their delivery will not come on time. Here is the amount, account number and sort code for processing.”
• “Kindly send me the employee W2s for the 2015 tax year for review this morning. Thank you.”
In each case, there is a simple request and a sense of urgency from a person in a position of authority. The perpetrator will often times make it clear that the executive will be unavailable to talk – and may even engage in an email dialogue with the employee – keeping replies very short. Of course, impostor types can be more than just internal executives – in some impostor schemes, the email can appear to come from a customer, partner, vendor or other fake identity that looks legitimate.
How does the threat actor accomplish this? First, with careful research on the players – these attacks are often targeted at one person or a small team. Second, with technology know-how. In some cases, the perpetrator “spoofs” the authority figure’s name and/or email address – the “From” and “Reply-to” fields look correct in the body of the message, but when the recipient hits the reply button, the message goes to an outside email address. In other cases, the names/ emails look VERY similar, but are actually one digit off from the correct address – it is so close that the small anomaly might not be noticed. And finally, there is the actual compromised email account – one where perpetrators have actually stolen credentials to an account, and maybe even customer lists, and are reaching out directly.
Protect your Organization
While impostor emails can be very difficult to detect, it isn’t impossible – and a combination of technology and training is critical. Ensure that your company embraces a culture where it is okay to question email requests.
Four Tips for Employees:
1. When a request that comes in is both urgent and important, take a moment. Call a manager or the executive directly – do not call a number included in the email. Verify the request directly. Don’t trust the display name or the email header.
2. Trust your instincts. Often times, employees admit that something “didn’t feel quite right.” Tell your team that they should listen to any warning bells – and take a moment to look for anomalies or telltale differences in a message. Spelling mistakes, unusual or vague wording, and even oddities in the email signature are all flags that something is amiss. Contact a direct manager or the executive directly in person or by phone.
3. Inspect the email, but don’t click
on links or attachments. Links and documents in emails can include malware. Verify the sender first.
4. If you do click on a link or engage in a fraudulent email, contact your manager immediately. A breach is a critical event, and your IT security team will need to get involved. Do not log onto any company database or other system where data could be stolen. There are instances where transactions can be stopped or reversed if the financial institution is alerted in time.
25
©2018 Credit Research Foundation