Email Security Blog

BEC Advanced Email Attacks Targeting Financial Institutions Growing Costlier

John Wilson August 16, 2018 Financial IT Security, Financial Services
typing on laptop

Recent Dark Web activity points to a boom in assaults against financial services organizations and their customers—and why advanced email attacks via business email compromise remain cybercriminals’ preferred point of entry

A 150% increase in cyberattacks in recent months may have financial services organizations focusing on protecting corporate systems while ignoring their Achilles heel—advanced email attacks that easily bypass cyber-defenses by targeting employees and customers.

According to industry reports, the average number of cyberattacks per banking institution rose to 520 during the first half of 2018, compared to 207 per bank during the same period last year. While these assaults take many forms, they almost always start with business email compromise (BEC) attacks and other advanced email threats. That includes up to 93% of all successful breaches.

It’s about to get worse. New data from 50 top banks and financial institutions (FIs) in the US and Europe shows a dramatic increase in Dark Web activity that suggests they could be in for a digital blitzkrieg over the next 12 months. The problem: Up to 80% of these organizations lack the proper technologies to detect and block increasingly sophisticated BEC attacks against employees—let alone those targeting their customers.

It could cost them. According to the FBI, BEC has led to more than $12 billion in losses for US businesses since October 2013. But can anything really stop it?


Imposter Syndrome

Right now you may be thinking, “Email? We have malware and anti-virus systems in place already. Can it really be such a big threat?”

But here’s the thing. While FIs have been busy fortifying their perimeter defenses in recent years, cybercriminals got really good at identity deception that can bypass those same defenses through what remains the single most important communication and collaboration tool ever.

We’re not talking about those hilariously bad phishes of yesteryear. Not by a long shot. Today, networked cybercrime rings armed with abundant information from social media produce highly credible, exquisitely-targeted emails that are virtually indistinguishable from messages sent by a trusted colleague, lender or banking brand.

Adding to the verisimilitude? Ploys such as display name fraud, domain spoofing, lookalike domains and, when possible, previously hijacked email accounts can be used to easily defraud their prey. Sometimes, it even involves meticulous grooming over weeks or even months to gain the trust of an unsuspecting employee or consumer mark. And these and similar ruses appear to be worth the trouble.

As it stands now, a typical BEC campaign has a success rate of 3.7% and will snare its first victim in just under four minutes. And while the traditional bank robbery averages $3,816 in losses, successful BEC attacks can score $130,000 or more, according to CNBC. But that could be a low estimate.

An Endless @ttack

That $81 million heist from the Central Bank of Bangladesh in 2016? There’s reason to believe hackers infiltrated the systems needed to transfer funds through BEC attacks against low- and mid-level officials. The Carbanak crime network and its $1.2 billion in loot from malware and phishing attacks? Still going strong. The truth is, most incidents are never reported, putting any loss estimates at the low end.

Which brings us to your customers. Fraud alerts, account confirmations and suspension emails are among the top 10 most effective lures scammers use to hook their prey. Just look at what happened to hundreds of TSB customers this spring (link to part 1 of series). Extrapolating from reports in Dark Reading, there could be upwards of 200 million email attacks on US consumers in 2018.

Like the Carbanak operation, many cybercriminals use “work from home” scams to recruit money mules (link to part 1 of this series) to help them launder money. Even with massive international operations between FIs and law enforcement these mules contribute to an estimated $2 trillion in losses each year–a whopping 2%-5% of global GDP.

Another hot target: Real estate transactions. A successful email account takeover at a title company or real estate agent enables fraudsters to fool buyers into wiring down payments or closing funds to fraudulent accounts. According to the FBI, nearly $1 billion was stolen in real estate transactions in 2017.

Fighting back against all this? Easier said than done.

Disrupting the Deceptions

So far at least, traditional approaches to fighting BEC and other email threats haven’t proven effective at countering schemes that leverage identity spoofing, social engineering and other tactics.

Instead, some FIs are finding they need to deploy the kind of modern machine learning technologies that go beyond content analysis and sender infrastructure reputation to assess people, relationships and behaviors in order to disrupt fraudulent messages from hitting their targets.

As for protecting customers? That can be even tougher. While most financial services organizations have implemented Domain-based Message Authentication Reporting and Conformance (DMARC) protocols that can help recipient systems spot brand impersonators, only 20% of financial institutions have set up the DMARC policy parameters needed to do this effectively.

As organizations assess solutions on both fronts, there are cross-industry efforts among security vendors, financial services companies and law enforcement organizations to collaborate in identifying, disrupting and apprehending the bad actors behind BEC. Case in point: a recent multinational operation known as Operation WireWire.

And others see promise in new active defense techniques that help to not just block email attacks, but also help authorities shut down the operations behind them.

A Year of Living Dangerously

Will any of this help? There are mounting signs of progress. In fact, organizations seeking solutions to advanced email threats can take a cue from companies that are blazing trails against these and other emerging challenges.

For example, check out this TechValidate case study on one large company’s approach to protecting against BEC and improving incident response and forensics for targeted email attacks.

With Dark Web activities pointing to increased attacks on major banking system transfer platforms such as SWIFT, as well as stepped-up assaults on consumers, let’s hope banks and other FIs heed the warnings and deploy effective solutions to the growing number of growing number of threats behind the “From” lines.

To learn more about BEC attacks and other advanced email threats, download an exclusive industry report from Agari, “Behind the ‘From’ Lines: Email Fraud on a Global Scale

Agari Blog Image

April 30, 2020 Armen Najarian

Business Email Compromise (BEC) Scams: COVID-19 Related Email Attacks Top Threat to Financial Services

With billions of dollars in stimulus being earmarked for US companies and individuals reeling from…

Agari Blog Image

April 28, 2016 Suzanne Parsons

Agari Proud to Join FS-ISAC Again This Year!

We’re looking forward to another great FS-ISAC summit next week in Miami. Twice a year, the…

Agari Blog Image

May 20, 2014 Agari

Q1 TrustIndex Findings: Financial Industry Under Attack

But no industry is safe The attack landscape is volatile – in Q1 the ThreatScore…

Agari Blog Image

January 12, 2012 Agari

Financial Times: Why Phishing Pays Off for Email Security Providers

Earlier today, Joe Menn of the Financial Times wrote a nice article about Agari and…

mobile image