Two-Month Email Compromise and Impersonation Attack Results in a $15M Take

Email Compromise Impersonation Attack Read how one unnamed company fell victim to a scam that’s been repeated many times over the last few years, but never with such a massive payoff at the end.

Recently, news of a U.S. company being the victim of a business email compromise scam has spread like wildfire. While no company is named, the story paints a picture of both how easy it is for cybercriminals to access credentials, and how painful the final outcome can be.

In this case, a simple phishing scam turned into $15 Million for one cybercriminal.

Here’s how it went down:

Step 1: Compromise email accounts – Senior executives were targeted. There were no signs of malware on corporate endpoints, which led investigators to believe access was achieved by tricking users into giving up cloud-based credentials to access corporate email.
Step 2: Impersonate the parties involved – using their own lookalike email domains hosted in Office 365, the bad guys were able to create email accounts to converse with players on either side of a pending financial transaction.
Step 3: Setup mail forwarding – any messages related to the financial transaction they intended to takeover were routed to the attackers.
Step 4: Takeover the conversation – once a transaction-related email was identified, the attackers inserted themselves and cause the bank details to be modified.
Step 5: Cover their tracks – to ensure the company being defrauded is left in the dark about the fraudulent transaction, the cybercriminals created additional mail routing rules to an obfuscated folder.

These actions resulted in the victim company being taken for $15M with no recourse.

This could be your organization. And everything done in the attack above could realistically be done by a single individual. It doesn’t take much to accomplish all this, if you know what you’re doing.

The biggest red flag should have been on Step 1 – rarely (if ever) does anyone need to log onto their web credentials when they are already logged in. Users fall for this all the time – and they shouldn’t. A little new school Security Awareness Training can make the difference to empower users with the knowledge of what phishing scams look like and why they need to work with a heightened sense of vigilance. All this adds up to a smaller threat surface and a lower likelihood that someone will fall for the bait that may be the beginning of a very costly attack.

Find out which of your users' emails are exposed before bad actors do.

Many of the email addresses and identities of your organization are exposed on the internet and easy to find for cybercriminals. With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization. KnowBe4's Email Exposure Check Pro (EEC) identifies the at-risk users in your organization by crawling business social media information and now thousands of breach databases.

Here's how it works: