According to the FBI, “business
email compromise” is rapidly on the rise.
Hardly surprising, given the low-risk, high-reward nature of this kind of
But coupled with the number of personal data records that have been
purloined by criminals from healthcare providers, retail outlets and
government departments over the past few years, the big question CEOs should
be asking is: what can security professionals do about this and how can
businesses protect themselves?
Business email compromise
- or social engineering - has netted cyber fraudsters over US$2.3
billion (A$3 billion) since October 2013 through to February of this
year. Over 17,000 businesses have been affected so far and attacks
have been reported in at least 79 countries.
However, these are only cases the FBI is aware of.
The hard fact is that many cybercrimes go unreported, both in large
and small businesses. You might expect that small businesses won’t
report it, especially where the loss is insignificant, such as a $200
fee to get data back from a successful ransomware attack.
However, big businesses are not reporting either, maybe for fear of
public embarrassment or in an attempt to avoid regulatory scrutiny.
Over the past five years or so, we’ve seen many successful hacks
remove millions upon millions of records from large companies, such as
Target, Sony, the US Office of Personnel Management, Anthem, Talk Talk
in the UK, and Kmart and David Jones in Australia.
But these mega hacks are just those that make news. There have
literally been tens of thousands of attacks that didn’t make the
headlines since they weren’t as juicy.
Nevertheless, in every case, almost without exception, the thieves
were targeting customer data. These massive treasure troves of data
are worth a lot of money on the black market. Consider the Anthem
attack, where thieves took off with over 80 million healthcare
records. Each one of these on the black market is worth around $10.
Even at a significant bulk buy discount, they could have sold that
database for big money, potentially to an organised crime syndicate.
This leads us to consider not the breach itself, but the use of the
data once sold.
Typically, the hacker wants to
quickly pass the data onto a buyer. The market is filled with unscrupulous
organised crime mobs, terrorists and nation states who would have the funds
to buy the data and the intent to use it.
There are so many reasons Anthem’s data may have been bought. ID theft is
the criminal modus operandi that most people think about, where social
security numbers, addresses, names, dates of births, etc. are used to
convince credit companies that the criminal is actually a legitimate citizen
and then authorise credit agreements for mobile phones, automobiles, new
back accounts etc.
However, business email compromise is another mode of operation that the
organised crime mobs may be using these data breaches for. They’ve got a lot
of useful data in those heists to masquerade as a legitimate partner.
"They research employees who manage money and use language specific to the
company they are targeting, then they request a wire fraud transfer using
dollar amounts that lend legitimacy," the FBI said.
Just imagine how convincing they can be with a few stolen healthcare
records, open source research on LinkedIn and a few carefully planned social
engineering attacks on the target company.
It’s no wonder these highly targeted, blended attacks are on the rise, given
the amount of data that is now circulating on the black market, along with
what’s circulating freely on social media.
What can we do?
Unfortunately, there isn’t much you can do about the origins of the attack.
That’s for law enforcement to coordinate globally, and the threat is real
and is getting progressively worse every year. Also, the wealth of
information already leaked, along with that available on social media, means
targeted social engineering is still by far the best way to attack an
The only way to protect yourself is to educate staff, especially those in
roles that will be targeted, about the nature of this threat. Security
awareness training is by far the best control you can put into an
organisation to create a culture that is naturally suspicious and willing to
The second thing to consider is the process you use for release of capital
funds. If an email is enough justification to have your payroll send funds
to a creditor, charity or partner, then it’s time to upgrade the workflow to
include additional checks and balances.
Building a couple of phone calls into your process where you check a
transaction number or secure passcode would be good. Maybe instigate the use
of cryptographic technologies to provide the originator of the message was
who they say they are, based on signing the message with a key that you have
There are many ways to increase the security of these kinds of workflows,
it’s a matter of seeing their inherent weakness today and engaging with an
expert who can design the security architecture of the process for you.
Banks do this already. When you request a payment be made from your account
to a third party, you use your RSA token plus PIN to authorise,
authenticating that the transaction is indeed being set up by the account
A reasonable paper that introduces secure electronic payments systems was
published by ISACA back in 2014 and can be found here [pdf]. NIST publishes
the best overall guide on creating a security awareness program, which can
be found here [pdf].
The reality is that there is certainly enough information, technology and
evidence of criminal intent around today that if you are hacked using a
simple business email compromise attack, it’s really your own fault.
If you are handling the amounts of money we are talking about and believe
yourself not to be targeted by criminals, then your head needs to come out
of the sand before it’s too late.
Tony Campbell has been
a technology and security professional for over two decades, during which
time he has worked on dozens of large-scale enterprise security projects,
published technical books and worked as a technical editor for Apress Inc.
He was was the co-founder of Digital Forensics Magazine prior to developing
security training courses for infosec skills.
He now lives and works in Perth, where he maintains a security consulting
role with Kinetic IT while continuing to develop training material and
working on fiction in his limited spare time.