A cyber threat detection company has identified a Nigerian-based hacking group that is engaging in a spearphishing campaign against financial institutions. Spearphishing is a directed email phishing campaign that is typically aimed at those with responsibilities relating to financial transactions. In this case, the group in question has compiled a list of over 35,000 CFOs working at financial institutions, with over half of them in the U.S. While the existence of this group, “London Blue,” and this list of CFOs is new, the scam the group is perpetrating, referred to as business email compromise, is not new. In fact, it is a progression of social engineering scams perpetrated in large part by Nigerians. The “Nigerian prince” email scam has been around almost as long as email, originating from a scam using written letters that dates back to the 1800s. The Nigerian prince scam typically identifies some wealthy individual that needs help transferring money with promises of riches in exchange for assistance. But first the mark has to contribute a small amount of money to facilitate the big payday. The Nigerians, having honed their social engineering skills with that scam, have now turned to the more organized and lucrative business email compromise scam.
What Is Business Email Compromise?
There is a reasonably high likelihood that your corporate email accounts are besieged by phishing emails with those handling financial transactions receiving more particularized treatment. Hopefully, all of it is being caught before it reaches your inbox. But if not, you may encounter several variants. Some try to trick you into entering your credentials into a fake login screen, allowing the perpetrator to capture your username and password. Others induce you to open a file or click a link that installs malware. This constant probing has been going on for years, but most people may not know what happens when the perpetrators succeed. Well, as we have seen in the news, there are all sorts of dangers that can spawn from such an attack. It can be the entry point for ransomware, an active ongoing attack (referred to as an advance persistent threat), or it could just be used passively to monitor until the time is right. But perhaps the most likely purpose is to gain access to perpetrate business email compromise.
The typical business email compromise involves the scenario where a party is duped into transferring money to a fraudulent account through email correspondence. While there are innumerable scenarios as to how it can play out, the typical scenario is that one or both parties to a transaction have their business email accounts compromised, and the perpetrator uses the compromised accounts to trick one party into wiring money to a fraudulent account. This is often done by either intercepting a legitimate invoice and altering the details, or sending a follow up to an original invoice informing the payee that payment details have changed.
These scams are particularly damaging because they often result in the loss of large sums of money and both parties to the transaction feeling aggrieved. One is out the money, and the other has not been paid for goods or services. They also leave victims feeling completely helpless when they finally figure out something went wrong. The responsibility often appears to fall to one or two people who, in hindsight, could have identified the attempt and avoided the transfer. But companies need to look beyond just one person’s actions. There are many layers of policies, procedures, and controls that can prevent business email compromise from succeeding.
What Can Be Done?
If you have gotten this far, you have taken the first and most important step of starting to educate yourself. First, you need to understand and accept that this is very common. The FBI has tracked over 40,000 incidents totaling over $5 billion in a three-year period ending in December 2016, and this number is only growing. Business email compromise was the No. 1 internet crime reported to the FBI in 2017 as ranked by victim loss. If you are involved in the transfer of money or managing those that do, you are one of the prime reasons that hackers are sending waves of phishing emails, and groups such as London Blue are using more and more sophisticated spearphishing means. They may specifically target you, or they may seek you out once they have already infiltrated your corporate network. In any case, the best assumption you can make is that every email that contains wire transfer instructions was not written by the person it purports to be from and the account numbers are not legitimate. In other words, trust emailed money transfer instructions at your own peril. Whatever convenience businesses may achieve from relying on emailed wire instructions is almost certainly offset by the huge risk created by the practice.
Every organization should perform a full risk assessment and implement best practices that are appropriate, but the following are some high-level considerations. Taking measures to secure email is a first step. There are many end point protection and network-level security controls that can help minimize the number of phishing emails that reach a user, prohibit a script or program from being run, or prevent a fake login screen that can be used to exfiltrate credentials. Nevertheless, even with a robust set of those controls in place, organizations should also take measures to minimize the ability of any unauthorized party that has credentials to access and use email and other aspects of the network. Many organizations use cloud hosted email services that come with huge vulnerabilities along with the convenience if they are not secured properly. Two-factor authentication is a big deterrent to unauthorized use of email. Also, restricting logins by location can help. There is no reason that merely getting a username and password should allow a hacker from another continent to login and use a corporate email account.
In addition to security controls, procedures around transferring money can all but solve this issue. It may sound simplistic but using some form of two-factor authentication for the confirmation of a wire transfer can defeat this scam in the vast majority of cases. This is typically done by voice verification, i.e., picking up the phone. This is critical because, in many cases, there is no amount of scrutinizing email correspondence itself that will eliminate the risk. It could be actually originating from the correct person’s email account, and everything could be precisely accurate except for the account number. So probably the most important takeaway is to take action today: Initiate procedures to protect your company by requiring a secondary confirmation either over the phone or some other way that is not tied to email credentials whenever a money transfer is involved.
It’s Too Late, So What Do I Do?
If you found this too late and just learned your company was victimized, you need to act very quickly. Immediately contact your bank that originated the transfer and the FBI to report it. Your bank may be able to reverse the transfer and recover some or all of the money, and the FBI has a dedicated portal for this type of activity. You will also want guidance from a trusted legal advisor to navigate these unfortunate waters. And, of course, whatever the outcome, incorporate it into lessons learned and prepare your organization to prevent future loss.