Financial consultant sitting at his desk in an office reviewing documents and working online with a laptop
Invoicing fraud can arguably be one of the costliest business email compromises. Invoicing fraud transactions tend to be substantial and persistent, giving fraudsters ample incentive and opportunity to cash in.
Impersonation: Supplier impersonation is a threat actor using common email spoofing techniques to pose as the supplier. Often, these fraudulent emails are sent from free webmail domains or unrelated compromised accounts the threat actor controls.
In many cases, an attacker may first impersonate the targeted company to get a real invoice from the supplier — then use that real invoice to turn around and impersonate the supplier.
Compromise: Supplier compromise involves a malicious actor gaining unauthorized access to a trusted supplier’s email account, then using that real account to scam the supplier’s customers. The attacker usually gains access to the account through a past phishing campaign or purchased credentials.
In many cases, attackers will piggyback an existing email thread of a compromised account. By observing, mimicking, and responding to actual conversations within the email thread, they can craft believable messages with supporting documents. Call it the ultimate impersonation tactic – becoming part of an active conversation. The recipient has no reason to suspect that the person they were communicating with has suddenly been replaced by an impostor. It’s no wonder these emails are among the most convincing BEC attacks most users will ever face.
In a supplier invoice fraud attack, an attacker tried to steal more than $100,000 from a company by posing as its usual wine supplier. The attacker had gained unauthorized access to the trusted supplier’s email account and hijacked an existing email thread between the customer and the supplier. The attacker requested a change in billing details and to send payment directly to a specified bank account. The email included a detailed invoice that featured the real supplier’s logo and legitimate charges to make it convincing. The attacker gained knowledge by using an existing email thread and included real invoicing numbers and products as to make the request more credible.
According to the FBI, the average loss from payroll redirect attacks is $7,904 per reported incident. The IRS included payroll redirects on its “Dirty Dozen” list of tax schemes for 2020. The agency says attackers use IRS documents in payroll redirect schemes to convince recipients that fraudulent bank change requests are legitimate.
Payroll redirect schemes usually involve some form of impersonation. Typically, the threat actor utilizes display name spoofing so that the email appears to be from an employee. Some payroll redirects target higher-level executives and upper management for the chance to score a bigger paycheck. In these attempts, attackers may use email addresses with executive themes to lend credibility — eg. “ceo@realcompany.com”.
One hallmark of payroll redirect schemes is their simplicity – a threat actor impersonates several employees in emails sent to a large company’s payroll department. Often emails use the same approach, differing only in: Who the email is sent to, who is being impersonated, the language used (English, German or Spanish). Despite the low-tech nature of these attacks, they can be surprisingly effective because they exploit a normal business process. Payroll, finance, tax and HR employees receive these kinds of requests by email every day, and most of them are legitimate.
Extortion email fraud uses just one deception tactic — impersonation. As in most impersonation-based attacks, the attacker will usually make the email look as if it originated from the victim’s email account. Typically, the threat actor sends a victim an email claiming to have accessed their computer and recorded them viewing adult content. The email includes sensitive content made to look like it came from the recipients’ own email account. Then threatens that the embarrassing content will be sent to co-workers and family, unless the recipients pay up.
Sextortion is by far the most common form of extortion we see. These emails tend to be lengthy and detailed, but the goal is simple: convince victims that they are in a precarious position and must meet the threat actor’s demands. Threats of physical harm are less common, though understandably alarming to the people who receive them. As seen in the email below, these strong-arm tactics try to scare the victims into thinking their lives are in grave danger unless they pay. Key attributes include a sense of urgency, short deadlines for complying, and dire warnings not to contact police.
Lure and task emails often begin with a simple request or routine favor. While some attacks open with a specific ask, many are vaguely worded, reeling the victim in over the course of multiple emails.
An initial message might make a general request in the vein of:
Attackers commonly pose as someone the intended victim knows or trusts, such as an authority figures, close friend, or family member. Posing as someone familiar disarms any suspicions the recipient might have about an unexpected or unusual request and almost compels a response. Most lure/task emails use display name spoofing to deceive the recipient. Some use other impersonation tactics, such as spoofing the domain or reply-to addresses.
A simple response achieves the threat actor’s first aim: identifying an active email account and potentially receptive audience. After receiving a response, the threat actor often changes tactics to make the scheme seem more credible.
Many of the lure/task fraudulent emails we see begin with a brief email that gauges how receptive the target might be. These early emails may not even try to create a sense of urgency. Lure/task-themed email fraud is prolific, accounting for more than half the email fraud threats seen in 2021. Though these emails may seem benign at first, if the recipient falls for one, it can lead to more serious forms of email fraud with potentially costly outcomes.
These attacks work because companies often reward employees and partners with gift cards. To the recipient, the request might seem routine. If the email sounds urgent and offers a reasonable-sounding explanation, the recipient might act without giving it a second thought.
Attackers typically spoof a person in leadership or a position of authority to give the request legitimacy. As is the case with other forms of email fraud, posing as someone familiar, including close friends and family members, makes the recipient more likely to fall for the scheme. Most gift carding email fraud uses display name spoofing to deceive recipients. Sometimes, attackers use other impersonation tactics, such as spoofing the domain or altering the reply-to field.
Gift carding is a common form of email fraud. At an average $840 per incident, this crime has swindled people out of almost $245 million since 2018.
The below example includes an attacker attempting to tug on the recipient’s heartstrings – the sender claims the request is for his niece’s birthday. In many cases, the threat actor first seeks to see whether the intended victim is available and the gift card request comes only after a person responds.
Attackers have dreamed up countless variations of advance fee fraud. They often weave elaborate tales of why a large sum of money is available and why they need a small upfront fee to get it to the email recipient.
Once the victim provides the advance fee, the fraudster may string the victim along for more money (citing unforeseen complications) or simply cut all contact and disappear.
Advance fee fraud uses impersonation techniques. Threat actors will commonly pose as a government officials, legal representatives, or persons in a dire situation. Most advance fee fraud emails use display name spoofing, though some use other impersonation tactics such as domain spoofing or lookalike domains.
Advance fee fraud emails use various lures to reel in victims, maintain their trust and persuade them to act. As shown in the following examples, threat actors may latch on to anything that works — including current events such as the pandemic, business deals, and beneficiary payouts. Most advance fee fraud emails are simple and easy to spot; few are well-crafted or more complex than the examples provided here. Advance fee emails make up a small fraction of fraud emails, still, people do fall for them, with an average loss of about $5,100 per incident.
This this example, the attacker tries to capitalize on COVID-19, urging the recipient to act quickly, giving the target little time to consider whether the email is fraudulent.
In this example, the attacker tries to tempt the victim with a large beneficiary payment, a common strategy in advance fee fraud that exploits human greed.
The types of email fraud outlined above are devious, unrelenting, and hard to manage with traditional perimeter-focused security tools and gateways.
Financial controls, such as requiring two or more people to approve changes to payment accounts or payroll details, is a good start. But stopping business email compromise also requires advanced email protection. To get more visibility into this human attack surface and stop business email compromise in all its various forms, you need a comprehensive platform with integrated controls across email, cloud accounts, users and suppliers.
Resource: Proofpoint
