Business Email Compromise Attacks Rapidly EvolvingPhishLabs' Opacki Says Sophisticated Schemes Targeting Smaller Businesses
Business email compromise attacks, also known as "masquerading" or invoice scams, are becoming more sophisticated and pervasive, and small businesses are the primary targets, says Joseph Opacki, vice president of threat research at security firm PhishLabs.
Over the last year, PhishLabs has tracked the evolution of BEC attacks, as they are commonly known, across every global market, Opacki explains during this interview with Information Security Media Group. Those waging these schemes are targeting primarily English-speaking countries, according to the firm's research.
The attacks use well-thought-out socially engineered scams that con unsuspecting accounting staff members at businesses into scheduling fraudulent wire transfers, he says. The schemes typically involve the impersonation of a high-ranking executive at the organization or an outside vendor.
In August, the Federal Bureau of Investigation warned that losses linked to BEC attacks totaled more than $1.2 billion from October 2013 to August 2015 - and many industry experts say that estimate is likely low.
"The newer campaigns target many more organizations, specifically those that are small enough to where personal appeals are more likely to result in payment," Opacki says. "The amounts are smaller, but the number of targets is much larger."
While numerous tactics are being used, Opacki says the all of the attacks are based on very strategic social engineering.
"The attackers are using better impersonation techniques that are more reliable than [email or Website] spoofing," he explains. "They are actually having [online] conversations with the victim, some with cleverly quoted messages with a pretense, such as 'Sent from iPhone.' And then also the attackers are doing more clever targeting and reconnaissance on the victims."
Businesses in the U.S. are being hit most often, Opacki says, followed by Canada, Australia, the United Kingdom, New Zealand and parts of Europe where English is the primary language.
Banks need to provide their business clients with advice on how to educate employees about how these types of attacks are waged and what employees should do if they believe they are being scammed.
"There needs to be a paradigm shift in the way everyone thinks about training their employees," Opacki says. "We need to educate the finance personnel and we have to show employees actual examples of what BEC attacks look like."
During this interview, Opacki also discusses:
- The likely groups and individuals that wage BEC attacks;
- Why most businesses still don't understand how BEC attacks are waged; and
- How these attacks are growing.
Before joining PhishLabs, Opacki served as senior director of global research at the security firm and consultancy iSIGHT Partners. He also previously served as the malware reverse engineering subject matter expert and technical director of advanced digital forensics in the operational technology division at the Federal Bureau of Investigation. In 2011, Opacki received the FBI Director's Award of Excellence for Outstanding Technical Advancement for his work in the area of enterprise-level malware triage and investigation.