To avoid a costly social engineering attack, employees often need to spot suspicious emails before hackers request sensitive information or access.
Cofense Intelligence released new research on Thursday which showed that most business email compromise (BEC) scams can be thwarted in their initial stages when the attackers do not ask for money or a transfer of funds. The cybersecurity vendor analyzed hundreds of BEC emails sent to customers in March and April, and engaged with threat actors in about half of the cases.
The company found that only 36% of attackers seeking to carry out fraudulent attacks began with a cordial greeting and a request for money, gift cards, or confidential payment information. Most BEC scams, according to Cofense, attempt to slowly build trust over multiple email exchanges with the target and lure them in with common phrases like “sorry to bother you.”
“Once they realize they can get money out of you, they’ll do whatever they can to get you dry,” Ronnie Tokazowski, Cofense’s lead threat advisor, told SearchSecurity. “For many scammers, this becomes a literal hustle, where they’ll quickly switch to other withdrawal methods. Just because something starts with a wire transfer doesn’t mean they won’t ask you to send money. cryptocurrency, gift cards, a check, or use your personal Venmo or PayPal to send them money.”
A common trick among fraud groups, BEC scams rely entirely on social engineering rather than technical exploits. Hackers usually pretend to be a trusted executive or partner and ask employees to redirect payments to a bank account controlled by the fraudster.
“For BEC threat actors, there are certain advantages to hiding the details of their scheme at first,” Cofense noted in its report, titled “BEC: Costliest Email Threat Tactics and Trends.”
“Getting answers from an intended victim can help the threat actor build rapport, identify other targets, and gauge how much they can steal.”
Using real attack data, Cofense says his team found that most BEC attackers opted for a soft opening and didn’t ask employees for money. Rather, the criminals sought to elicit an emotional reaction from the targets before giving instructions for payment.
In one example, a future CEO pretended to be busy with a meeting and, in subsequent messages, told the target to pay staff a “bonus” in the form of gift cards. The emails grew increasingly aggressive as the scammers grew impatient with the target.
For most scammers, the intent was to embezzle internal payroll. The attacker would instruct the target to redirect employee paychecks to other accounts. Next are gift card scams where the attackers attempt to trick the target into handing them money in the form of gift cards which can easily be laundered for cash.
While social engineering attacks can be difficult to filter out, there’s a dead giveaway admins can point out to end users: attackers are overwhelmingly using free webmail services rather than corporate accounts to carry out their attacks. .
“Unlike the threat actors behind phishing and malware campaigns, BEC threat actors cannot simply send an email and hope the targeted user opens it,” Cofense said. “Since they want two-way communication with the user, they need email accounts that can send and receive reliably, rather than send-only tools such as mass mailing scripts based on the Web.”
The report notes that the FBI’s Internet Crime Complaint Center (IC3) reported that BEC scams cost businesses $43 billion between 2016 and 2021. Earlier this year, the IC3 issued an alert warning that BEC scams were spreading to virtual meetings.
Tokazowski told SearchSecurity that when it comes to stopping phishing and BEC attacks, end-user training is critical, and training is best applied early on and in a low-stress situation.
“When it comes to corporate email compromise attacks, it’s critical to ensure that processes and procedures have kill guards in place to verify that a request is legitimate,” Tokazowski explained. “Have this conversation before for a phishing attack to happen is key, because everyone is stressed during a live incident, and very often things will be missed.”