Pretexting is the New Phishing
Email phishing schemes may seem like a tactic from bygone days – when the internet was new and users still reeled from the novelty. But the reality is that, according to Proofpoint’s Phishing Statistics and News report, email-based phishing attacks quadrupled in Q3 of 2018 over the previous quarter. These schemes have evolved in their sophistication but not in the way you might think. Instead of targeting computers with malicious code, activated by clicking suspicious links (which the majority of the population – 78%- has learned not to do) “phishers” are now targeting the users themselves. Referred to as social engineering, or “pretexting,” criminals send emails impersonating people or organizations that the recipient trusts, with the end goal of tricking the recipient into willingly and unknowingly giving away sensitive information such as credit card information, social security numbers, and login credentials.
For a prime example of how and why this works, one need only look to this past Amazon Prime Day. Shoppers were targeted by a phishing scheme called 16Shop. It’s a tactic that’s been employed against Apple users in the U.S. and Japan and involves tricking email recipients into “resetting their account” and giving away credit card information via a fake account-reset form. Forbes reports that “16Shop enables malicious actors to send out emails disguised to look like they come straight from Amazon itself. The emails have PDFs attached that contain links that directs victims to a website that looks essentially identical to the Amazon login page. Of course, it’s not really an Amazon site. Instead, it’s a site designed to harvest information from unsuspecting victims who find themselves on the page.”
Business Email Compromise Schemes
It’s not just consumers that are being targeted. In fact, businesses are bigger targets, especially banks and financial institutions. And don’t think your corporate firewall is going to protect you. According to Verizon’s 2018 Data breach Investigations Report, Malware was found in less than 10% of 2017 pretexting attempts. “Pretexting is less about gaining a foothold and more about acquiring the information directly from the actions taken by the target. The two scenarios that were most prevalent in pretexting attacks were those targeting employees who either worked in finance or human resources.” The report found that employees are typically emailed directly by a criminal impersonating a CEO or executive (whether through a phony email account or by compromising an executive’s business email account) and ordered to transfer money to a criminal’s account or process fraudulent invoices. This is presumably effective because employees are disinclined to question the orders of senior officials. These pretexting phishing schemes have been dubbed Business Email Compromise (BEC). And they’re causing huge losses.
According to the FBI’s annual Internet Crime Report, all internet-enabled theft, fraud, and exploitation cost a total of $2.7B in 2018, up from $1.4B in 2017: Of that, BEC/Email compromise schemes cost approximately $1.2B, with over 20,373 total incidents reported to the Internet Crime Complaint Center (IC3) in 2018. According to the Internet Crime Report: “BEC and Email Account Compromise (EAC) are constantly evolving as scammers become more sophisticated. In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.”
FinCEN Issues Advisory
These losses have proven significant enough to warrant action by The Financial Crimes Enforcement Network (FinCEN), which announced July 16 that it would be employing new strategies for combating BEC schemes: “Based on data from FinCEN’s Suspicious Activity Reports (SARs), hackers and other illicit actors’ BEC scams generated more than $300 million a month in 2018, with a cumulative total exceeding billions of dollars stolen from businesses and individuals.”
The announcement came as an update to its original advisory from September 2016 – which outlined the most prevalent types of phishing schemes used against financial institutions and suggested methods for combating the threat. This advisory outlined the three main scenarios by which BEC phishing/pretexting schemes typically occur:
1. Criminal impersonates a commercial customer
In this scenario, criminals gain access to the email account of a business’s employee. The criminal then impersonates that employee and instructs the business’s bank to wire funds to an account controlled by the criminal. These accounts are often located in the U.S. This allows criminals to avoid initial suspicion on the part of the target. It also allows the criminal to make use of money mule networks to successfully avoid detection.
2. Criminal impersonates a company executive
In this scenario, a criminal gains access to the employee email account of a bank executive or financial institution’s executive. The criminal then uses these credentials to dupe employees responsible for handling funds or making payments. The criminal impersonating the executive will typically instruct the employee to make payments to accounts held by the criminal.
3. Criminal impersonates a vendor or supplier
In this scenario, a criminal gains access to the email account of a bank vendor or supplier and send fraudulent invoices or otherwise misdirects funds. Oftentimes, the criminal will instruct the company to send future payments to a new (fraudulent) account.
Since 2016, FinCEN has recorded over 32,000 incidents of business email compromise schemes with losses in the past 3 years totaling 9 million. The 2019 addendum provides updated definitions of BEC fraud, expands on sectors targeted by BEC fraud, and alerts financial institutions to current risks posed by BEC schemes.
Expanding Definition of BEC Fraud
In 2016, FinCEN stated that the primary goal of BEC schemes was wire fraud. The organization has broadened the definition of BEC fraud to include more than just wire transfers – now the fraudulent transfer of anything of value is covered under the definition of BEC fraud. “While many email compromise fraud scheme payments are carried out via wire transfers (as originally stated in the 2016 BEC Advisory definition), FinCEN has observed BEC schemes fraudulently inducing funds or value transfers through other methods of payment, to include convertible virtual currency payments, automated clearing house transfers, and purchases of gift cards.”
Expanding Targets of BEC Fraud
Financial reward continues to be the primary objective for BEC and EAC schemes. So – though financial institutions tend to be the main target and bring the greatest reward, criminals have been observed diversifying their targets by expanding to other sectors. FinCEN analysis found that the top three sectors being targeted are manufacturing and construction, commercial services, and real-estate. But BEC has evolved to include more than just business sectors. Anyone with a high net worth who can be fooled or forced to misdirect funds is now covered by the term, including governments: “Dozens of government organizations, ranging from foreign national governments to municipal government offices, have been targets of BEC fraud. Such thefts have targeted accounts used for pension funds, payroll accounts, and contracted services, losses of which can impact government operations as well as government employees, citizens, and vendors.” Educational institutions, which rely on many vendors, are another high-value target for criminals. In 2016, over 160 attempts to steal over $50 million were reported to FinCEN.
How Financial Institutions Should Respond
FinCEN suggests a few main ways that banks and financial institutions should be dealing with phishing threats.
1. Risk Management
Banks and institutions need to update their systems and protocols and increase their resilience to all cyberattacks. For phishing and pretexting, a multi-factor authentication process for business email accounts is suggested, as well as requiring funds transfers to be verified by multiple communication methods (instead of one fraudulent email from an “executive” serving as authorization.
2. Response and Recovery of Funds
FinCEN, in partnership with the FBI, Secret Service, and various other organizations, has recovered over $515 million in stolen funds. The takeaway is that while many transactions are irrevocable, this task force has had greater success when the fraud is reported within 24 hours.
3. Sharing of Information
FinCEN encourages banks and institutions which have experienced fraudulent phishing or pretexting attacks to share information with other institutions in order to create a base of knowledge from which to build resiliency. It offers a framework for reporting suspicious activity:
1) Dates and amounts of suspicious transactions;
2) Sender’s identifying information, account number, and the financial institution;
3) Beneficiary’s identifying information, account number, and the financial institution; and
4) Correspondent and intermediary financial institutions’ information, if applicable.
1) Relevant email addresses and associated Internet Protocol (IP) addresses with their respective timestamps;
2) Description and timing of suspicious email communications and any involved compromised or impersonated parties; and
3) Description of related cyber-events and use (or compromise) of a particular technology in the conduct of the fraud. For example, financial institutions should consider including any of the following information or evidence related to the email compromise fraud:a) Email auto-forwardingb) Inbox sweep rules or sorting rules set up in victim email accountsc) A malware attackd) The authentication protocol that was compromised (i.e., single-factor or multi-factor, one-step or multi-step, etc.)
For more information on how to protect yourself from BEC fraud and other phishing schemes, you can visit Finccen.gov and ic3.gov.