Beyond hacking – the human threat of business email compromise scam emails
Despite the continued focus in organisations on cyber security and the technical methods to prevent breaches, the simple fact remains that too many people still think that the threat is purely technology-based, writes David Stewart.
Google ‘data breaches’ and you will find literally dozens of reports showing clearly that while technical attacks are very prevalent, an equivalent threat is people within organisations.
The Verizon 2017 Data Breach Investigations Report highlights that 43 per cent of data breaches follow ‘social engineering’ tactics whereby people respond to an email of some sort (phishing etc) and clicking on a seemingly legitimate link leads to malware being installed on the host computer.
However, many data breaches don’t even require the installation of malware. The UK Information Commissioners Office report from Q3 of 2017 outlined the following non-hacking elements relating to data breaches from UK public sector organisations:
Data posted or faxed to incorrect recipients
Loss or theft of paperwork
Data emailed to incorrect recipient
Failure to properly redact data in documents
Failure to use the bcc function on emails, thereby circulating email addresses to recipients not intended to see them
The Verizon report, focussing on hostile efforts, found that 73 per cent of breaches had a financial motivation and this is where the human element becomes critical, as it is often people falling for scams that result in financial loss.
The days of the Nigerian Prince scam emails seem to have gone but these have merely been replaced by emails with a similar tone – you have unexpectedly become the beneficiary of the kindness of someone you don’t know who wishes to bestow great riches on you. All you need to do is provide them with all your personal information and your bank details and you will instantly become millionaires.
Here at CRJ Towers, we occasionally become the lucky recipients of such emails. Two weeks ago, we were informed that we had won a European lottery. This email was sent to a corporate email address (not a personal one) and was not personalised, so immediately it was easy to recognise that all was not as it seemed. Our security filter also highlighted that it suspected this email to be spam so, when we looked at it, we were already 100 per cent certain that it was fake. The attached file also made it obvious to anyone with any common sense that it was spurious.
We had a laugh in the office about how we would spend our newfound wealth and emails of this type have now become so common that most cyber-savvy individuals don't pay them a second thought.
However, this week we received an example of a somewhat more sophisticated attempt, recognised by the FBI and Europol as a Business Email Compromise (BEC) Scam.
The first piece of sophistication was that the email appeared to emanate from our email domain. The second sophisticated layer was the email sender name – for the sake of this blog, let’s call him Joseph Smith. The email appeared to be from Joseph.email@example.com. This is interesting – CRJ changed ownership last year and one of the previous directors was called Joseph Smith, so the emailers had carried out some kind of research to make use of a name that was potentially connected with our company. This is the basic modus operandi of the scammers.
The FBI also refer to this scam as CEO impersonations, as often the email looks as though it has been sent by the CEO or another senior person in the company. The email is usually blunt and to the point – pay something to someone.
In our case, the text of the email was simple, I need you to process a "Faster Payment" to a new beneficiary, can you handle this right now? Payee details attached.
Also attached to the email was an invoice bearing bank account details for payment of the sum of £9,905.
By the standard of the BEC scam, our demand was a mere drop in the ocean. The FBI estimated in May 2017 that, since 2013, over $5 billion had been scammed from unwitting companies in the USA alone, using this technique. In June 2014, an employee of American company Scoular Co paid $17.2 million into a Chinese bank account after receiving emails purporting to be from the organisation’s external auditors, relating to the purchase of another company. On this occasion, the employee had actually telephoned the auditors to confirm the transaction should go ahead – however they telephoned the number listed on the original email received which, as with the rest of the email, was fake.
The obvious implication for victim companies is the loss of significant sums of money and, as this is technically a human error and not a traditional cyber attack, insurance companies may not cover the loss. The cyber security site, krebsonsecurity.com, reported that a company in Texas lost $480,000 to a BEC scam and its insurers subsequently refused a claim against the policy as: “The scam, known alternatively as ‘business email compromise’ (BEC) and CEO fraud, did not involve the forgery of a financial instrument as required by the policy.”
One question you may be asking yourself is how could the email we received appear to have come from our own domain? As outlined before, in the ‘from’ box, the name displayed was Joseph.firstname.lastname@example.org and, when we hovered our mouse over the sender, it also displayed the same. This was intriguing, but there is a way to identify the real sender email address. In our situation, we were aware that we didn’t have an email account in the name Joseph Smith so, we hit the ‘reply to email’ button. On doing this, the shortened ‘Joseph Smith’ came up in the ‘to’ box but, when we hovered over this name, this revealed that the email had actually originated from ‘email@example.com’.
When you set an email account up on any device, the email client will ask you to specify how you want your email address to appear to those receiving. You can therefore specify anything at this point and this is an issue for people who are not tech-savvy or even those who are merely too busy with routine work and suspect no wrongdoing. Whatever the reason, there are steps that can be taken by individuals and organisations to identify such scam emails.
The FBI provides the following by way of guidance:
In response to our receipt of the BEC email, we decided to report the details to the fraud department of the bank in question, and to the UK Police Action Fraud website. In UK law, no crime was actually committed by the persons sending the scam email, as no funds were lost. And in order for the police or other authorities to take action, a financial loss must have been incurred. As such, all we could do was provide the information we had – the bank account details and the fake email address (and domain) to the relevant authorities. We were able to do this by email, although both resulted in auto-responders telling us that the information had been received but that we would get no further contact about the matter.
The simple fact is that law enforcement entities simply don’t have the resources to investigate every attempted scam email – and even those that have resulted in significant loss represent horrendously complex and time-consuming investigations.
As such, the best solution is one of preventing the crime (and the associated crisis) before it takes place and the onus therefore lies on organisations. Most companies’ email rules are enshrined in their Information security policies and procedures, but the usual challenge with this is that staff members may not be fully aware of the detail.
Training and awareness are the obvious way forward. Many organisations (through their IT Departments) spend significant funds on the technical aspects of what they would refer to as cyber security, but there is absolutely no doubt that equal emphasis must also be placed on the other area of potential threat – the human element.
Former Chief Superintendent David Stewart is Director with Crisis Management Ltd, CRJ’s consultancy division, and Global Operations Director for CRJ. David has managed and led projects worldwide. Crisis Management Limited provides bespoke services in terms of business/property risk and vulnerability assessment, as well as bespoke training for staff and employees
Read Stemming the ripple effect of insider threats, by Ryan Meeks, first published in CRJ, March 2016.