What do the Bank of Bangladesh, Facebook, Google and a couple in Essex have in common? They are all on the very long list of individuals and organizations who have been made victim of Business Email Compromise/CEO Fraud/Man-in-the-Email attacks in the last few years (I’ll refer to it as BEC from now on, for ease). So much so that this year, the FBI reported that these forms of attack have led to international losses of $12bn between October 2013 and May 2018. These, of course, are the known and reported losses, so we can be pretty confident that the true figure is likely to be much higher.
Social engineering takes many forms. Last year, there was the man who walked into a bank in Kuala Lumpur wearing shorts and a t-shirt carrying a piece of paper that stated he was a fire extinguisher engineer. He walked out with the equivalent of around £110,000 after sneaking into the safe room. Earlier this month, we heard of at least eight Eastern European banks where criminals walked in, connected devices to the networks (including laptops, Raspberry Pi’s and Bash Bunnies) and stole tens of millions of dollars.
However, BEC is a problem on a whole different scale. It is one of the biggest attack vectors facing our clients and, arguably, most organizations in the world. Like ransomware, the more the criminals see a return on investment, the more we see the problem rise. This is the secret to its success, combined with the ease with which cyber-criminals can perform some open-source intelligence on a company and send a convincing email that exploits psychological triggers in the recipient, such as authority, fear and fatigue.
We gained an insight into the extent of some of these criminal enterprises with ‘London Blue,’ a criminal gang that operates like a modern corporation, with ‘business units’ and a well-researched list of 50,000 executives to target with their scam. This is certainly not the only criminal gang operating in this way to industrialize BEC, and cybercrime in general.
On the positive side, this year we also saw a coordinated law enforcement effort dubbed Operation WireWire that resulted in 74 global arrests, the seizure of nearly $2.4m and the disruption and recovery of approximately $14m in fraudulent wire transfers. Whilst this clearly does not match the $12bn we’ve lost in the last five years, it is extremely good news. We should celebrate this globally coordinated law enforcement effort that will have disrupted criminal activity in a way that can’t simply be measured in monetary terms.
“By continuing to tackle the complex problems of cybersecurity at the technical, physical and human level, we are putting ourselves in the best position to resist BEC, and cyber-insecurity in general”
We can also find success among some of the bad news stories. The Bank of Bangladesh heist, which I mentioned earlier, involved the theft of $81m. However, the criminals had put in place fraudulent transactions totaling $1bn, and they may have got away with such a sum of money were it not for an analyst working for the Federal Reserve Bank of New York, who spotted a typo in one of the fraudulent transactions (the word ‘foundation’ spelt as ‘fandation’) and triggered an investigation which ultimately identified the fraud.
Organizations are getting savvier. The more people are aware of the threat and how easy it is for criminals to, for example, spoof an email address, the more resilient individuals and organizations become to these forms of attack. Through the awareness-raising activities we deliver, I have seen firsthand the long-lasting impact that can be achieved when people are genuinely educated in the threat and what they can do to mitigate against it. The NCSC removed 138,398 unique phishing sites this year and published clear and concise guidance for organizations to use to help defend themselves. This guidance stresses the need for a layered approach to defend against phishing and it is through a layered approach that we will have the most success.
The last few years have seen a move towards an approach in cybersecurity that accounts for human and physical issues more than ever before, as shown in the timeline of cybersecurity milestones we at Cygenta have started putting together. By continuing to tackle the complex problems of cybersecurity at the technical, physical and human level, we are putting ourselves in the best position to resist BEC, and cyber-insecurity in general.