By Robert Capps
About 35,000 executives from some of the world’s biggest banks and mortgage companies never imagined themselves as being on a cyber hit list, until they were. Cybercriminals with hopes of tricking executives into money transfers embarked on a very professional business e-mail compromise (BEC) scam discovered by security researchers at Agari. They uncovered such a plot against its own CEO, who tipped them off to the gang’s activities.
The gang, known as London Blue, are of West African origin, apparently centered around Nigeria, a region known for its well-organized cybercriminals that perpetrate scams, including the infamous “Nigerian Prince” advance-fee scam. London Blue operates as an incredibly organized network across multiple countries, including Western Europe and the United States. Their targets range in size, from independent businesses to multinational corporations, but one thing remains constant: the targets are always people who have financial responsibilities within an organization. CEOs, CFOs, accountants and financial executives are all ripe for the picking.
If normal phishers are hoping to hook an ordinary fish with their scams, business e-mail compromise scammers are looking for whales with access to significant money. BEC scams are a form of highly targeted phishing attacks, which work to impersonate a member of an organization in order to extract money from that organization or an associated business, such as a supplier or a customer.
Cybercriminals also rely on something which is a lot harder to change: human nature. Often jobs in large organizations, and particularly jobs with a financial remit are extremely fast-paced and high-stress environments, where there is a company-wide emphasis on moving quickly on decisions.
Disguised as insiders, the gang does their homework to target executives with professional documentation and e-mails that would fool the savviest. They impersonate everyone from third-party business contractors to actual customers and utilize document forgeries that anyone would be hard-pressed to discern from the real thing. Combined with spoofed e-mails, made all the easier by the advent of business-focused social media channels such as Twitter or LinkedIn, the trap is complete.
These BEC attacks have been devastatingly effective as noted by the FBI that found in 2018 alone, over 350,000 BEC scams reported, which generated losses to American businesses amounting to $1.2 billion.
What’s to be done?
Awareness training and educational measures are the first line of defence against such targeted scams. Employees should be closely reviewing all e-mails, especially those that are slightly unusual, to look for tell-tale signs of a scam. Employees should ask themselves:
Is the content of this e-mail unusual, especially if it is someone the organization has dealt with on a regular basis?
Is the structure of the e-mail unusual? Sometimes the biggest giveaway in these intrinsically human scams is in fact, human. Refer back to known, legitimate e-mails from that sender: are they structured or written in the same way?
There are other steps companies can take. Any wire transfers or transactions involving significant amounts of money should be double-checked by phoning the recipients and confirming the transaction, using well known and vetted contact information. Companies should also run targeted phishing campaigns against their staff and see who takes the bait. For those that keep clicking, more education is warranted. For those who spot a fake, some type of rewards system should be instituted.
Technology, combined with education is the best line of defence. While cyber gangs like London Blue can steal credentials and passwords, next-generation technologies such as passive biometrics are still able to detect if it is the right person behind the device.
Passive biometrics are able to identify people online by their behaviour within an online account both inside and outside a company. This type of technology is able to detect hundreds of unique identifiers such as how hard someone types and how fast they go from page to page all the way to device identification and more.
It is these types of technologies that can identify the human behind the device, so that even if a scammer gets a hold of legitimate documents, credentials, passwords and creates the perfect fraudulent e-mail, they can still be unmasked and stopped. Technologies such as behaviour-based authentication frameworks that detect the user’s unusual activities paired up with money laundering systems can flag suspicious transactions.
Robert Capps is vice president and authentication strategist for NuData Security (https://nudatasecurity.com), a Mastercard company. He is a recognized technologist, thought leader and advisor with over 20 years of experience in the design, management and protection of complex information systems, leveraging people, process and technology to counter cyber risks.