A new study by Agari concludes that, despite all the attention nation-state espionage services have been getting for their phishing attacks, the big threat still comes from criminal gangs.
Here is your quick Executive Summary:
- 97% of people who answer a Business Email Compromise (aka CEO Fraud) email become victims
- The average BEC incident included a payment request of $35,500 (ranging from $1,500 to $201,805)
- 24% of all observed email scam attempts between 2011 and 2018 were BEC even though BEC only started in earnest in 2016
And What's That Country?
Many of those criminal gangs continue to operate from Nigeria, of the ten gangs engaged in the email scams that Agari studied, nine were based in Nigeria. Conclusion: the old Nigerian 419 scam has upgraded big time.
While business email scams are relative newcomers to the world of online crime, becoming popular only as recently as 2016, they're now the most common kind of attack, accounting for 24% of phishing emails.
Patrick Peterson, Agari's Executive Chairman said: “The sad irony is that these foreign adversaries are using our own legitimate infrastructure against us in attacks that are far more damaging and much harder to detect than any intrusion or malware.”
BEC, in which the scammer poses as an executive of the business being phished, has the greatest potential for a large, immediate payout. All organizations should make it their policy never to use email to direct fund transfers, and they should train their employees to be aware of this social engineering tactic.
Other scams have similar potential to bankrupt their targets. Real estate brokers, for example, have been targeted with malicious attachments that enable criminals to conduct man-in-the-middle account takeover scams that hit escrow accounts.
Scammers Use A Multi-Step Process
An interesting finding of Agari's study is the multi-step process many of the scammers use: a probe email is followed by one or more follow-ups that deliver the scammer's punch.
In the case of business email compromise, a common and effective probe might ask, "Are you at your desk to make a payment?" We have seen that these organized crime groups are starting to automate and script the process of sending these initial probes to their targets.
Interactive training can help a business arm its employees against social engineering. KnowBe4 actually allows you to monitor what an employee who falls for a simulated CEO fraud attack writes back, and automatically step them through immediate remedial training. Agari study here.