SAN FRANCISCO – The email the secretary received from her boss, the CEO, was ordinary enough:
I need you to transfer money to this account. I’m going to be away at my daughter’s soccer game this weekend so will be hard to get hold of, but please make sure this is done by the end of day.
Except it was a fraud, part of a campaign by a gang that took some Texas energy companies to the cleaners for some US$3.2 million.
The “CEO” hadn’t sent the message. His account had been hacked. And the little touch about his daughter? That came from reading the executive’s Facebook page.
This is the so-called business executive compromise (BEC) scam, increasingly being used with considerable success.
According to a presentation Thursday at the RSA Conference here, BEC attacks are number one on the list compiled by Internet Crime Complaint Centre. In 2017 there were 300,000 complaints and losses of US$1.4 billion.
“It’s very lucrative, easy to launch, there’s little risk of being caught – and they work,”Anne Connell, a cyber security engineer at the Carnegie Mellon software institute’s computer emergency response team (CERT).
What’s worrying, she added, is that in addition to targeting large companies, gangs are now going after small and mid-sized firms.
Targeted staff are those who regularly transfer money. How do criminals know who to target? Extensive online research. How do they know so much about the CEOs they impersonate? Extensive online research, often leveraging stolen usernames and passwords bought on underground forums.
Then, using a range of tools, they find out personal information from social media sites – where you might find tidbits like birthdays, hobbies and names of children. Sometimes, because of lax security settings, that info is sitting in plain sight.
Note that it isn’t uncommon for the “CEO” to try to cultivate a relationship with the target before making the transfer request. Nor is it uncommon for the gang to pretend to be both the “executive” and a vendor who is owed money to be paid for a phony invoice.
Nor is it uncommon for a gang to use the scam several times on an unsuspecting employee until the company catches on.
Google and Facebook were reportedly victimized to the tune of US$100 million in 2017. Most of the money was apparently recovered.
The work of the Texas gang, known by the FBI as “Clovis,” after the middle name of the Nigerian-based man who crafted the emails, was relatively simple. For one thing the target companies were chosen almost by luck: Clovis needed an area in the U.S. that was serviced by direct flights to Nigeria. By comparison, what is known by law enforcement as Operation Wire Wire, was more sophisticated, with an international gang of 30 in several countries – including Canada –– who had researched a group of target companies.
The thing is, said Connell, it’s not hard to reduce the odds of these attacks being successful. Employees should not be the first – or last – line of defence, she said.
On the technology side, IT should look into the possibility of using email protocols such as DMARC, SPF (sender policy framework) and DKIM (domainkeys identified mail) to authenticate email and eliminate the possibility of address spoofing.
For organizations using cloud email providers, look into ways they can help.
Another tech response is to change the colour of internal email so it is easily distinguishable from externally-sourced mail (For example, mail with red-coloured text can’t be from an executive).
Of course, security awareness training plays a big role in reducing the odds of BEC attacks, Connell said. That means not only teaching staff to not click on attachments and links, but also to watch for warning signs of a scam. These include messages late on Fridays asking for money to be transferred, and messages saying the transfer is urgent.
If staff need to phone someone to verify a message, use a known phone number, not one in an email.
Finally, basic cyber hygene is needed: Staff have to be trained to either put a little personal information online as possible and to lock down privacy settings on social media sites.
And email and social media accounts have to be protected with strong passwords and multi-factor authentication.