Last week, both the FBI and the IRS issued warnings of increased business and consumer fraud during the COVID-19 pandemic. Research from security experts at Proofpoint shows the problem is Business Email Compromise (BEC) has been growing exponentially in the past year and accelerating during the global coronavirus crisis.
In the first half of 2019, researchers at Proofpoint analyzed data from more than one thousand cloud service tenants with over 20 million user accounts. Their analysis showed more than 15 million unauthorized login attempts into corporate cloud accounts, of which 400,000 were successfully compromised.
With the spread of coronavirus, a whole new breed of business email compromise attacks are also going viral.
Who were favorite targets of email cybercrime?
Researchers found education and foodservice industries were most vulnerable to successful business email compromise attacks followed by manufacturing, and construction and engineering companies.
Regulated industries such as healthcare and financial services protected themselves better in comparison, with significantly lower rates of successful attacks but researchers noted that Fortune 500 companies in the study were heavily targeted and 60% experienced at least one compromised cloud account.
“Because of the volume of attacks, even seemingly low success ratios still result in significant numbers of potentially compromised organizations even over this relatively short period of time,” Sherrod DeGrippo, Senior Director of Threat Research and Detection at Proofpoint noted.
The most popular targets for BEC included sales representatives and managers across all industries. “Regardless of the sector, sales representatives and managers were among the most highly targeted users. The nature of their jobs makes them easier to reach and requires them to respond to unsolicited emails, potentially increasing their exposure to phishing attacks. Threat actors also target sales representatives because they are in frequent contact with people in finance departments and external organizations, enabling lateral movement, supply chain exploitation, and internal phishing,” according to the study.
Coronavirus creates new targets, new threats
The COVID-19 crisis has created a whole new set of trends, business email compromise threats, and targets. “At the onset of the coronavirus, we saw threats targeting the global shipping industry, capitalizing on the concern that the virus would disrupt supply chains. We are now seeing all industries being targeted, but particularly healthcare, education, manufacturing, media, advertising, and hospitality companies,” DeGrippo says.
Attackers are using coronavirus themes for nearly all types of attacks, including (but not limited to) business email compromise (BEC), credential phishing, malware, and spam email campaigns. “In all the coronavirus lures we’ve seen, they are effectively using social engineering to play into the fear, concerns, and interest this pandemic has caused around the globe. People are more likely to make instinctive decisions about clicking a link or opening an attachment out of emotion, without proper vetting,” she added.
DeGrippo says cybercriminals are carefully following the coronavirus news cycle and tying their attacks to those themes. Initially, email lures offered information on what the virus is and its impact on shipping after China locked down its country. “Once the pandemic went global, we started seeing lures on travel restrictions, potential cures, invoices for medical equipment, and now payments and financial aid for impacted businesses and individuals.”
One recent notable scheme tried to capitalize on the global shift towards quarantine. BEC attackers used the claim of positive coronavirus tests in the victim’s area to start the email conversation. In this attack, the urgency is present in the subject line listed, “Urgent Reply needed about coronavirus.”
These coronavirus-themed BEC attacks often come with spoofed display names, which are likely real people known to the recipient. In the body of this particular message, the actor attempts to eliminate the possibility of voice-verification, in hopes of ensuring a higher success rate, by saying their phone is “faulty at the moment.”
“BEC attacks are often delivered in stages. The first email sent is typically innocuous, meaning that they do not contain the attacker’s end goal. The attackers craft plausible scenarios in hopes the recipient will reply. Once they’re on the hook, the attacker will send their true ask. Those asks then manifest as “I need you to buy gift cards,” wire transfer funds, etc,” DeGrippo explained.
How can you minimize business email compromise?
The best protection against all forms of email fraud is a combination of technology and people according to Proofpoint.
“We recommend organizations prioritize a people-centric approach to security that protects all parties (their employees, customers, and business partners) against these threats, including layered defenses at the network edge, email gateway, in the cloud, and at the endpoint, along with strong user education. Users should approach all unsolicited emails with caution, especially those that request the user to act, like downloading/opening an attachment, clicking a link, or entering credentials,” DeGrippo advised.
You can get more information and insight into business email compromise threats from Proofpoint’s BEC study here.
LET’S CONNECT