Similarly to cybercrime, fraud levels have skyrocketed during the COVID-19 pandemic, with the digital shift expanding opportunities for scammers to strike. Much of the discussion around fraud focuses on its impact on individual citizens, and understandably so. However, the huge surge in fraud targeting organizations must also be considered, with tactics such as business email compromise (BEC) increasingly prevalent.
Therefore, during this year’s International Fraud Awareness Week, taking place from 14-21 November 2021, it is vital to highlight current trends around the ways scammers are targeting enterprises and the actions required to mitigate these threats.
Enterprise Fraud Trends
It is well-documented that phishing and BEC attacks have ramped up in the past 20 months. These techniques make up a substantial proportion of attempts to scam businesses, often out of vast sums of money. “BEC continues to represent one of the biggest threats to business in 2021, with threat actors taking advantage of both security weaknesses and a lack of employee diligence. While the types of BEC attacks do vary, the overwhelming majority target either executives or employees involved in processing financial payments,” observed Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
The messages sent are becoming increasingly sophisticated and more difficult to detect to recipients – including those at the top of a business. John Bambenek, principal threat hunter at Netenrich, commented: “Attackers are getting more informed about the specifics of organizations they are attacking. They are using business research services to get revenue and headcount numbers, they are researching key personnel, and for those attackers that are looking for the big payday, they are putting in the work to get there.”
The increasing availability of information about companies and their employees enables scammers to tailor their communications more effectively, making them more believable. This includes plausibly impersonating a colleague or partner. Armen Najarian, chief identity officer at Outseer, outlined trends in respect of SMS or ‘smishing’ scams. “Whether you’re the CEO of a cybersecurity company or an average person on the street, anyone can be a target. Impersonation scam cases more than doubled in the first half of 2021, resulting in criminals stealing £129.4m,” he explained.
“Fraudsters are no longer just sending spam texts out purporting to be from a company, with multiple spelling errors and unsafe links; they’re now also impersonating and targeting specific individuals. From researching a person’s colleagues, their time zone or whereabouts through social media, cyber-criminals can craft personalized – and extremely convincing – text messages. By impersonating an individual their target knows, fraudsters hope to disarm them and reap the financial reward.”
"From researching a person's colleagues, their time zone or whereabouts through social media, cyber-criminals can craft personalized - and extremely convincing - text messages"Armen Najarian, chief identity officer at Outseer
Many threat actors are willing to be patient, building up trust with their target over a long period before striking. Martina Dove, senior UX researcher at Tripwire, explained: “Grooming is a method of establishing a connection with a person to perpetrate a crime against them. Grooming is becoming more common in fraud, both online as well as in interpersonal interactions. What’s more, scammers are getting more sophisticated in their techniques. There is a mistaken belief that scammers are forceful, arrogant and therefore easy to spot, but many play a long game, carefully and patiently grooming the victim before asking for money.”
Another sophisticated technique increasingly utilized by scammers is email hijacking, which can be particularly difficult to detect. “One trend we have seen regards email hijacking, where threat actors hijack legitimate email chains and insert a phishing email into an ongoing conversation,” explained Digital Shadow’s Morgan. “These attacks almost always start with the takeover of a victim's email account, which commonly happens through credential theft or brute force. Once in control of a victim's email account, threat actors can monitor conversations and identify opportunities to insert a malicious email into an existing thread. These types of scams are often very difficult to identify and are far more effective than a typical phishing email, with recipients much less likely to scrutinize existing emails when compared to unsolicited emails arriving from unknown accounts.”
Tips for Employees
Organizations should, first and foremost, reinforce a simple message to their staff in respect of any emails and texts they receive: stop and think. Morgan said: “Even for known individuals, stop and inspect the messages and the attachments. Make sure that you do everything you can to detect misdirection and other social-engineering tricks.”
If a suspicious message purportedly comes from someone known to the recipient, its validity should be checked, even if it relates to someone in a high-level position. “Would your CEO really contact you asking for a credit card number?” asked Morgan.
Employees should also understand that any information they share on social media about themselves and their job could be used to launch a sophisticated scam against their company. Therefore, keeping sensitive details to a minimum on these sites is a good rule of thumb. “Little do employees realize, but the personal information they share online could fuel social engineering and phishing attacks for an infinite amount of time when it falls into the wrong hands,” explained Stephen Banda, senior manager, security solutions at Lookout. “Employees are also increasingly toggling between personal and enterprise applications, and as a result, employees inadvertently leak sensitive information to the wrong channels. This type of accidental data leakage can plant a seed for future fraudulent activity.”
Leading from the Front
In addition to providing staff with awareness training and guidance, organizations must take the mantle in dealing with the fraud attacks themselves. This should start at the very top, engendering a strong security culture throughout the workforce, according to Morgan. “It’s not just the responsibility of employees to build this type of active and aware culture. Business leaders all the way up to the highest levels of the organization need to endorse and sponsor the culture. How powerful would it be for a company’s CEO to get in front of all the employees and talk about how he or she almost clicked that link, almost gave away that critical information which could have been used to further develop fraudulent activities?” he outlined.
The culture must be reinforced by continuous education and clear processes, for example, around password practices and multifactor authentication (MFA). Outseer’s Najarian said: “Gone are the days when it was sufficient to show employees a quick slide on cybersecurity and fraud when they join the company. Fraud education must evolve as threats evolve. Organizations must implement processes that ensure every staff member is aware of their role and responsibilities in preventing fraud. Examples must be given and need to be updated regularly to reflect the current threat landscape that employees face.”
Even with a strong cybersecurity culture and processes in place, there will always be a chance that a sophisticated scam will dupe staff. This is where tools and technologies can plug any lapses. An obvious starting point is anti-phishing technology. Lookout’s Banda stated: “Every employee should have anti-phishing protection on all of their devices – from laptops, Chromebooks, iPhones and Androids – protection across them all is imperative as phishing attacks target them all. This will ensure that employees stop falling victim to phishing attacks.”
Netenrich’s Bambenek added: “For internal protection, every organization should be enabling DKIM, SPF and DMARC for protecting their emails against impersonation, as well as creating CAA records to prevent SSL certificate fraud. Lastly, they should implement strong phishing protection in DNS by filtering phishing domains and bulletproof hosting providers to prevent those attacks from being successful.”
Monitoring is another important way of defending against fraud attempts by identifying suspicious activity early and taking action. Bambenek said: “Organizations who authenticate users need to start looking at behavior analytics to help detect bot or otherwise unauthorized users accessing their services using stolen credentials.”
With business fraud on the rise and the potential for enterprises to lose large sums of money through a single successful scam, this issue has to be taken more seriously going forward. Businesses should be comforted by the fact that a combination of a strong cybersecurity culture with the right processes and technologies will protect them against most fraud attacks.