Why Are We So Stupid About Security?FBI: $2.3 Billion Lost to Simple Business Email Compromise Scams
The continuing success of attackers stealing billions of dollars from organizations is a sad commentary on the state of corporate security practices as well as our collective lack of cybersecurity smarts (see The Evolving Hacker Mantra: Simplicity).
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
How else can you react to a recent FBI alert warning that there's been an alarming increase in business email compromise scams? Also known as masquerading schemes, man in the email attacks or CEO fraud, these scams involve criminals trying to trick firms into wire transferring corporate funds into attacker-controlled accounts by impersonating a CEO or other executive (see Business Email Fraud: Who's Liable?).
"Will the FBI's alert help stop these attacks? ... Don't hold your breath."
The combination of easy and lucrative attacks means that - surprise - more and more criminals are lining up to execute these types of scams.
Indeed, the FBI's alert cites $2.3 billion in related, reported losses from October 2013 through February 2016. In the same time frame, law enforcement agencies globally counted 17,642 victims across all 50 U.S. states as well as 79 other countries (see 13 Scenes from an Irish Cybercrime Conference). And since January 2015, the FBI says, the reported number of victims has nearly tripled.
"The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney or trusted vendor," according to the FBI's alert. "They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy."
Scam: Trick the Money Movers
Various versions of the scam target companies large and small, the FBI says, as well as across industries and sectors, from the largest not-for-profits to the smallest enterprises. But firms that work with foreign business partners or suppliers, or which "regularly perform wire transfer payments," are especially frequent targets, the bureau says.
Will the FBI's alert help stop these attacks? Based on the number of cybersecurity alerts that the bureau has already issued - and our collective failure to stop cyberattacks - don't hold your breath (see Biz Email Fraud Could Hit $1 Billion).
That's despite the fact that as far as "cybersecurity attacks" go, these business email compromises are about as low-tech as you can get. And the lure of an easy payday keeps these attacks coming. Wireless networking technology provider Ubiquiti, for example, fell for one such scheme, and lost $46.7 million as a result.
Ready, Set, Plan Ahead
Thankfully, low-tech attacks frequently have low-tech solutions. Indeed, one related defense that I heard multiple information security professionals suggest at this year's RSA Conference in San Francisco is deceptively simple: Think ahead. In particular, many firms have now created security policies that spell out exactly how wire transfers will be handled. That involves using multiple stages of sign-offs - to help spot any social engineering attacks that might have tricked an employee - as well as preapproved communications channels specifying how such transfers will be commissioned, triple-checked and ultimately approved.
In some cases, attackers will attempt to infiltrate systems and move the money themselves, without trying to trick an insider. That appears to be what happened with the recently disclosed attack against Bangladesh Bank, in which attackers obtained the bank's payment-transfer codes and successfully moved nearly $100 million out of its account at the Federal Reserve Bank of New York.
But with criminals reportedly making oodles of money via much simpler business email compromise scams, in many cases they don't need to bother with these types of more sophisticated attacks (see I Believe in Cybercrime Unicorns). And until businesses put processes and training in place to help prevent employees from falling for these attacks, why would most attackers bother with anything more complicated than simple trickery?