You are here:Home/Blog Post/How an Email Compromise Attack Begins
Stanley Milgram’s 1961 experiment demonstrated how susceptible we are to the psychology of hierarchy: a doctor instructed a participant to administer shocks to another participant – really a paid actor – of increasing intensity. Even though many of the participants objected verbally, they continued on the doctor’s orders to issue the seemingly excruciating shocks.1
Faced with the right con, we’re all vulnerable
On his Cautionary Tales podcast, Tim Harford told the story of an ex-con who put on an army captain’s uniform and an air of authority and proceeded to demand to inspect a military financial account and confiscate (that is, steal) the $250,000 it contained.
If your employee gets an email from an executive at your organization requesting urgent action, how does the employee respond?
The unfortunate answer may be the one long-baked into most western-world organizations: ours not to reason why, ours but to do and die.
Hopefully that inclination can change, because it is among the most easily exploited. When CFO Brew magazine asked Virginia-based Paymerang’s John Heyel about changes to being a CFO, Heyel answered, CFOs have shifted their risk-management focus. Internal threats to accounts payable and accounts receivable have always been present. However, over the past five years, external threats have dramatically increased … Fraud schemes like vendor impersonations and business email compromise mean that our business’s daily activities now require an investment from the CFO to ensure practices and policies are in place to protect our organization. One small mistake can cost a company millions of dollars.2
Impersonations and accounts that have been taken-over are hallmarks of Business Email Compromise (BEC). In many BEC attacks an apparent authority, usually the CFO or CEO, will urgently request for a payment to be processed now and in a specific way. And it uses the tactics of a confidence game, also called social engineering, to get employees to take this unconventional action.
Typically a con artist allays a victim’s suspicions by watching and exploiting a victim’s weaknesses. These can include the desire to impress one’s boss or fear of the repercussions of failing to meet a boss’s request.
Or Bryley partner Cisco described this subtler scenario, using details from the employee’s social media, the cybercriminal impersonates a company media manager and sends a tailored email, alluding to a recent work event3. Any link sent from this apparent co-worker would tend to go unquestioned. Robert Cialdini names social identity (identification with another [‘that person’s like me’]) one of the key principles to influence others’ behavior4: a scammer’s personalized approach increases the likelihood an employee will let go their defenses and comply with what’s being asked.
In light of these methods to wind us up to be marks, we might consider again the eagerness with which large companies gather and make public our information – either as part of a public-facing website (Facebook, LinkedIn) or because their collected data has been stolen and sold cheap.
What can reasonably be done to limit your exposure to information that con artists can use against you? Consider offering your employees training about this topic, like Bryley partner Knowledgewave’s webinar Digital Privacy and Protection that addresses employee responsibility on social media and the risks of oversharing. Among the topics covered are periodic reviews of social media privacy settings. This is LinkedIn’s privacy settings page.This is Facebook’s.
Anatomy of a BEC attack
The Boston Globe reported that Fairfield, Connecticut’s Save the Children was the victim of a BEC attack: hackers broke into a worker’s e-mail, posed as an employee, and created false invoices and other documents, to fool the charity into sending nearly $1 million to a fraudulent entity in Japan. The con artists claimed the money was needed to purchase solar panels for health centers in Pakistan …5
This is a long game, and by that measure it is different in character from usual, non-targeted phishing emails we all get daily (like ‘your Prime membership has expired – click here’). This attack included:
convincingly enough emailing from an internal employee’s account
researching plausible projects
understanding how the organization conducted its operations
creating false documentation that would hold up to some scrutiny
Knowledge is power
Slowing down the scam
What can be learned from the lengths these con artists go to? First because there are so many elements to the con, that also means there are many points at which to back out of the con. The trouble is, these are pros who have done this dozens of times, so employees need a lot of support before it becomes too late.
Stolen credentials in order to commandeer one of your organization’s email accounts can be obtained several ways like through a system breach or because of poor password practices (having a password that is easy to guess or reused from another site that’s been breached). And a good way to minimize the impact of stolen credentials is adding multi-factor authentication (MFA), especially consider implementing MFA through a timed-expiration code on a secure app.
Have a layered email defense strategy. For example Bryley Advanced Email Threat Protection includes a technology to help detect changes in communications between employees and send an alert that just may be the pause needed to not go through with a costly mistake.
Employees need regular Security Awareness Training, as mentioned above, to keep aware of the evolving tactics. Employees are an important line of defense. Can employees be encouraged – even though it seems to be coming from a co-worker or boss – to verify by phone or in-person an urgent or unusual request? Also review and improve as needed the checks-and-balances for issuing payments.
And as also stated above, review what gets posted on the web, including social media, that can turn around and sting you. Protect the details of your projects as much as you can.
A second Globe-reported BEC attack was similar, but different: Save the Children reported that it was provided with a false bank account in Africa for a vendor whose e-mail had been hacked, causing the charity to mistakenly send $9,210 to the hacker’s account instead of the real one … So if email passwords had been reset to stop the internal-email-based Pakistan-solar-panels scammer, would employees have thought to be suspicious of an attack coming from a vendor?