Email fraud still a significant threat to businesses
Not so long ago the idea of email fraud mainly involved Nigerian princes asking for your help to liberate a few million dollars.
Things have moved on and the scammers have become more sophisticated, but email fraud is no less of a threat according to a new study by email security specialist Agari, which studied activity on 78 criminal email accounts over a period of 10 months.
Interestingly Nigeria is still at the heart of email scams, with nine out of 10 of the accounts studied based there. Most focus on business email compromise (BEC) attacks, but romance scams -- using information from online dating sites -- are common too.
The average BEC attack is active for less than three days, whereas the average romance scam is active for 25 days. BEC has a high success rate, with 0.37 victims per 100 probes. The attacks are 10 times more successful if the victim answers an initial probe (3.97 victims per 100 answered probes). The average payment requested across all BEC attacks is $35,500
"The attackers' odds of making money improve 10 fold as soon as they get any kind of response," says Markus Jakobsson, chief scientist at Agari. "We've been able to intercept several fraud attacks that were just about to be successful and have helped the victims by telling them it was a scam, allowing them to reverse fund transfers or fix malware infections placed by the criminals."
Cloud-based email services have commoditized basic email security, but they also oﬀer a low barrier to entry for criminal organizations that want to create dozens of fraudulent accounts to impersonate otherwise trusted identities. It's more difficult to detect these attacks because they are launched from legitimate infrastructures that traditional security controls have been taught to trust.
Not only are the rewards high for these crimes, the risks are low. These international operations face little consequence in the US for the crimes they commit overseas. However, just like the drug trade, many of these operations make use of US-based mules to help them. The average US company may be suspicious about wiring money to a Nigerian bank account, but when the bank is in the US (thanks to a mule) it is less likely to raise a red ﬂag.
Scammers are targeting both major enterprises and SMBs, intercepting their invoice payments and directing equipment deliveries to drop sites. They are also going to some lengths to make their attacks harder to detect, using tools like Grammarly to correct errors in punctuation and spelling for example, as well as researching targets.
"Many of the criminals subscribe to corporate information in order to find out who key executives in companies are. They can then look up on social media and the web to find email addresses and register a similar account for the impostor," says Jakobsson. "They are also trying to find out about organizational changes -- mergers and acquisitions, fund raising cycles -- because the more they know about the more they can use the context to pitch in the correct way."
You can find out more in the full report which is available from the Agari website.