“Hey Joe, are you around? I need to send a wire transfer to a customer.” If you received an email like that, especially if it was apparently sent by the boss, how might you react – assuming your name is Joe? The message is a good example of a particularly popular form of a business email compromise attack (BEC), or so finds analysis from Barracuda Networks.
It seems that such emails are often sent by people pretending to be the CEO. Very few attackers pretend to be the CFO or from HR, however.
Its research analysed 3000 or so BEC attacks.
>See also: Ransomware top of the class for phishing attacks
It turned out that 60% of the emails didn’t even contain a malicious link. Instead, they just contained a simple plain text email intended to fool the recipient into committing a wire transfer or send sensitive information.
“These plain text emails are especially difficult for many email security solutions to identify,” said Barracuda.
The research also found:
- The number one objective of the cyber criminal was to generate a wire transfer — 46.9%.
- The second most popular aim was to get the recipient to click on a malicious link — 40.1%
- And 42.95% of such emails are examples of CEO fraud, sent by people pretending to be the CEO.
On the other hand, the majority of recipients of these emails are in more junior roles – “with 53.7% of recipients holding roles outside of the C-level and not operating in the sensitive departments of HR or finance.”
>See also: Gone phishing: 4 ways to combat the threat of ransomware …
A tactic employed by cyber criminals is to try and establish rapport with the target by starting a conversation. Barracuda gave as an example a message that asks if they are available for an urgent task. This is then followed up with a request for a wire transfer. 12% of attacks try this approach.
Barracuda cautioned that wire transfers “should never go out without an in-person conversation or phone call,” and said: “Use additional care with phone calls if the only contact information is included in the potentially fraudulent email.”
It also warned that users should take extra care with emails apparently from the CEO and confirm legitimacy if the email contains an unusual request.
>See also: When is a CFO not a CFO? How to avoid being a ‘spear phishing’ victim
Barracuda said that it recommends “implementing a training program that teaches users how to spot a BEC attack and use that program to continually train and test them on updated techniques.”
It also recommended employing an email protection system.
Nominations are now open for the Women in IT Awards Ireland and Women in IT Awards Silicon Valley. Nominate yourself, a colleague or someone in your network now! The Women in IT Awards Series – organised by Information Age – aims to tackle this issue and redress the gender imbalance, by showcasing the achievements of women in the sector and identifying new role models