AUTHOR: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
It was 23 years ago that the first Nigerian phishing attacks appeared in the inboxes of users across the world. Known today as the Nigerian 419 scams, these emails of deceit were cleverly crafted around the premise of a Nigerian Prince and his financial accounts which were being frozen. As a result, his family was seeking “your” help to get his fortune out of the country. All that was required was an advanced fee to cut through the red tape and get the ball rolling. The “advanced fee scam” scheme can actually be traced back to 1898 and the Spanish-American War. Known as the Spanish Prisoner Con, the ploy was based on the same proposition in which a Spanish prisoner was attempting to escape with his fortune and would share a nice percentage with anyone willing to help pay an advanced fee.
We often laugh at the Nigerian 419 phishing scams today. As was the Spanish Prisoner letter, the messages are laced with spelling and grammatical errors, yet the scam proved hugely successful. According to the FBI, in 2005, thousands of Americans fell for the scam, losing an average of $3,000 each time, culminating in a total loss of over 70 million dollars. Many people wonder how people could be that gullible during the heyday of the scam, yet the con still generated as much as 55 million dollars from Americans in 2012 and continues to lure naïve victims who so want to believe in a free fortune.
Though still highly profitable, the Nigerian phishing scam can be described as highly crude today. It is an example of a typical net casting scheme in which thousands, if not millions of emails are blindly sent out, knowing that only a fraction will ever make it past the gauntlet of email SPAM filtering systems. Of those that complete the journey, only a fraction of users will be snarled in the end. The attack is simply a numbers game.
Email phishing today has come a long way since its beginning in the early 90’s. It has evolved today thanks to an infusion of talent and resources. The advanced fee scam has matured into a threat now referred to as Business Email Compromise (BEC) also known as CEO fraud. Unlike its predecessors that target large unorganized audiences of random email addresses, the masterminds behind these attacks are highly selective of their prey. They handpick an organization and selectively choose a single user to target. Rather than spending days and weeks churning out random emails, these cyber criminals spend weeks, sometimes months, researching their targeted organization, learning the culture, language and writing styles and even the hobbies of their selective victims. Similar to the infamous Nigerian 419 scams, BEC attacks are garnering big money, except this time, no one is laughing.
BEC is taking phishing to an entirely new level of sophistication, and as a result, is taking in revenue streams of unprecedented proportions. According to the FBI, BEC/CEL email fraud cost businesses $2.3 billion between October 2013 and February 2016 with the average victim losing between $25,000 and $75,000. Though this average figure appears shocking, some scams have managed to garner loots amounting to tens of millions of dollars. With the amount of money being vanquished in these attacks, it is no wonder that BEC losses have increased by 1,300% just since January of 2015.
The premise of the scam is different than the traditional tried and true advanced fee scam, but still seeks to manipulate someone, in this case a high level executive of a corporation or large business. The final act of the scam involves the cybercriminal sending a fraudulent email, impersonating a CEO or boss of a high level financial executive into initiating a wire transfer to a bank. Often times the bank is located in China but has also been located in 78 other countries as well.
In addition to a thorough knowledge of the affected victims within the target organization, the timing of the final email is an important factor in solidifying the success of the attack. A perfect example of these illustrious phishing scams was a recent attack on the Mattel corporation in 2015 which resulted in a total loss of $3 million. The strike was brilliantly conceived and flawless executed. The month of April in 2015 was proving a tumultuous period for the world renowned manufacturer of Barbie Dolls due to the combination of poor international sales. The company also experienced the firing of the former CEO and the assimilation of the new officer. A finance executive received a request from the email of the new chief executive officer requesting a routine funds transfer to a new vendor in China. Wanting to please the new boss, the executive issued the transfer to the Bank of Wenzhou, in China. Later that day as the executive spoke to the CEO in passing, and came to the horrific realization that they had been scammed.
Fortunately, for Mattel, some of the money was managed to be retrieved after working with Chinese authorities. For many though, the losses are permanent and the cost and aftermath involves much more than money. BEC is the superbug of phishing.