Messaging scams that try to trick employees into performing risky transactions continue to dog organizations.
In a report released today, Trustwave said a category of cons called business email compromise (BEC) scams followed a historical trend by jumping in January and February before settling down.
More importantly, attackers have come up with a new tactic: Instead of sending an email purporting to be from an executive and asking for action — paying a supposed invoice or changing payments to be made to a bank account controlled by the threat actor — the message asks the employee to email a supposed staffer of a company. It’s a way of convincing the victim of the legitimacy of the message.
For example, the first email sent by the supposed executive tells the employee that a representative from a financial company is requesting payment for an unpaid invoice. The employee is told someone from that company will be emailing them. It’s not uncommon for this first message to use the real name of that contact person.
The second email the employee gets is from the supposed contractor/supplier/partner and repeats the request for payment of the overdue invoice. A variation of this scheme has the supposed employer telling the employee to contact the other company (by email, of course).
“To make the scam appear legitimate,” notes Trustwave, “these emails contain specific information such as an invoice number and date of scheduled payment. They are also longer in content and written in a professional manner, unlike traditional BEC emails. The vendor representative names are real employees of the financial institutions that the scammers use in their invoice fraud scheme.”
One clue the message is a scam: It comes from a free email service like Gmail. In the first half of this year, 84 per cent of BEC messages detected by Trustwave came from free webmail addresses.
BEC uses different bait topics to gain the attention of their victims, the report says. These include
- payroll diversion, where the target is asked to change the sender’s bank account, payroll, or direct deposit information. Almost half of the BEC scams detected by Trustwave in the first half of this year were in this category;
- request for contact, where the target is asked to forward their mobile number or personal email address. Then the scammer moves the conversation to mobile or WhatsApp where it is more likely to evade detection;
- task, where the target is told something has to be done urgently;
- availability, very short emails asking if the victim is available for a follow-up message;
- gift purchase, where an employee is asked to buy a gift card or cards for an occasion (a staff member’s birthday or the office Christmas party;
- wire transfer, where the staffer is told to send money in a wire transfer;
- and a request for a copy of a corporate document that has sensitive data (for example, the executive needs a list of employees and their Social Security numbers).
Regular employee security awareness training is one way these and similar scams can be blunted.