Month: September 2020

For more than a decade, one of the most persistent and successful online fraud schemes has been business email compromise (BEC) schemes.  BEC schemes typically involve two phases: (1) the use of phishing or hacking techniques to obtain identifying information about executives in a particular business or other organization; and (2) the use of “social engineering” techniques to persuade someone with appropriate authority in that business to issue and send checks to scheme members, or make outbound wire transfers to bank accounts that members of the scheme have established.  BEC schemes are also often linked to other types of online fraud directed at individuals, such as romance schemes, employment-opportunity schemes, and lottery schemes.

BEC schemes have proved fairly simple and highly profitable for cybercrime operations.  The APWG’s most recent quarterly report on phishing schemes stated that the average wire transfer attempt in BEC attacks is increasing, from $54,000 in the first quarter this year to $80,183 in the second quarter – a 48.4 percent increase.  One particular Russian BEC operation reportedly has sought an average of $1.27 million from its corporate victims.

For the most part, participants in BEC schemes, based on information from a limited number of U.S. criminal investigations, appear to range in age from mid-twenties to mid-forties.  A recent arrest by police in the Australian state of Queensland, however, shows that older persons may also become involved in BEC schemes.

In this case, Queensland police arrested a 65-year-old Brisbane accountant on charges of money laundering, for her role in a series of BEC schemes in which at least seven organizations and individuals, including senior care providers and a superannuation (pension) fund, were deceived into sending more than AU$3.3 million offshore.  One victim reportedly lost AU$1.1 million.

According to the police, the accountant, who had no relation to the victims, received her instructions online from hackers.  She allegedly caused fraudulently obtained funds to be transferred into at least 50 Australian bank accounts before she directed the money offshore.  A police search found a number of computers and mobile phones that she allegedly used to facilitate money laundering.

While there has been no trial or conviction in this particular case, the initial report of the arrest provides a timely reminder of key points that businesses and individuals should bear in mind to protect themselves against BEC schemes:

• Never give out personal or company information to any caller when you don’t know the caller.
• Just because an incoming email purports to come from a person in authority, such as a senior executive in your company, does not mean that it actually came from that person.  Hovering over the incoming email address with your mouse or touchpad, or pressing “reply” (without actually sending a reply) to that email address, can reveal the true address of the sender.
• Just because a caller’s voice sounds like he or she could be a real person within a company tells you nothing about whether he or she is that real person.  Trust only the voices of people you know personally, and to protect your company from possible BEC schemes, the company should establish points of contact with third parties or vendors with the company regularly deals to allow voice-to-voice communications regarding requests for outbound funds transfers.

On August 27, the APWG (formerly Anti-Phishing Working Group) published its Phishing Activity Trends Report for the Second Quarter 2020.  The Report analyzes phishing attacks and other identity theft techniques, as reported to the APWG from a variety of sources.  The Report’s principal overall observation was that cybercrime gangs have been attempting and achieving heists of increasing scale. Key findings in the APWG Report included the following:

• Phishing Sites: In 2Q 2020, the number of phishing sites detected was 146,994.  This total represented an 11 percent decrease from the 165,772 sites detected in 1Q 2020.
• Most Targeted Industry Sectors: Software as a Service (SAAS) and webmail sites were most frequently targeted (34.7 percent of all attacks). Financial institution sites accounted for 18.0 percent, payment sites 11.8 percent, and social media 10.8 percent of all attacks.
• Business Email Compromise (BEC) Attacks: The average wire transfer loss from BEC attacks is increasing. The average wire transfer attempt in 2Q 2020 was $80,183 – a 48.4 percent increase from the average attempt of $54,000 in 1Q 2020.  In addition, 34 percent of BEC attacks in 2Q 2020 were sent from email accounts hosted on domains registered by scammers.  More than three quarters (76 percent) of those domains were registered at just five domain registrars: Namecheap (25 percent), Google (20 percent), Public Domain Registry (17 percent), NameSilo (7 percent), and Tucows (7 percent).  The Report also stated that one documented Russian BEC operation, which “attacks large multinational organizations, many of which are Fortune 500 and Global 2000 companies,” has sought an average of $1.27 million when it targets companies.
• Phishing Attacks in Brazil: Although the banking and financial sector “is still the primary target of phishing attacks in Brazil,” the Report noted that there were 9,572 unique phishing cases in Brazil in 2Q 2020 (a decrease from 10,910 unique phishing cases in 1Q 2020), and that a decrease in cases of digital fraud in June 2020 was most evident in the banking and financial sector.
• Phishing Sites’ Use of HTTPS: Since 2016, according to APWG data, there has been a fairly consistent and substantial increase in the number of phishing sites that use the HTTPS encryption protocol.  In 2Q 2020, the percentage of phishing sites using Secure Socket Layer/Transport Layer Security certificates increased slightly to 77.6 percent (compared to 74 percent in 1Q 2020).

Note: This latest APWG Report points up a number of troublesome phishing trends, notably the increase  in the average BEC wire transfer losses and the increase in phishers’ use of HTTPS to enhance the credibility of their sites.  Information security officers should read this Report and share it with their information security teams.