Search Close
Email Security Blog

Email Fraud: Growing Threats Have Consumers Paying Steep Price

John Wilson July 24th, 2018 Email Security
Fallback Featured Image

Report from the ‘From” Lines (Part 1 of 3)

From bank account takeovers, to real estate cons, to romance scams and more, cruel consumer phishing tactics are leading to devastating losses for victims

But is advanced email security really the answer?

Sean Smith and Erin Wrona are quite familiar with the crushing cost of email fraud. For them, the price tag was $1.57 million.

According to reports, the Washington DC-area couple had put aside that money to pay for their five-bedroom, 2,300-square-foot dream house. They’d already put down a $200,000 deposit on the home earlier in the year. So when they received an email asking them to proceed with wiring the remaining funds to their title company, they just assumed the message was legit.

It was anything but. As it turns out, a cybercriminal had hacked into the title company’s servers and sent the couple an email asking them to wire the money to a bank account that, unbeknownst to anyone, was controlled by the thief.

For Smith and Wrona, it was an unwelcome introduction to the burgeoning world of consumer email fraud. But if it’s any consolation, they’re hardly alone.

According to the FBI, up to $1.4 billion in real estate transactions are diverted through email scams each year, making it one of the fastest growing cyber crimes in the country. Unfortunately, solutions to this and other consumer phishing tactics grow more elusive by the day.

Breaking Hearts, Draining Bank Accounts

Indeed, whether it’s real estate, banking, lending or any other industry, consumer-centric email fraud typically involves criminals sending out deceptive emails that appear to come from a trusted source—a respected brand, a financial services firm, an email service provider—or even a romantic suitor.

Just ask the Houston-area divorcee courted by “Charlie,” a “construction worker” she met online. For her, it started innocently enough with playful posts on Facebook. But things eventually progressed to extended email exchanges through which “Charlie” conned her out of $30,000 in wire transfers—and eventually the bulk of her life savings. “I was looking for happiness,” she says. “I thought I could find that with Charlie.”

Then there’s 20-something Kayleigh Rance, who was nearly recruited to be a money mule after grifters sent out fake job lead emails to contacts harvested from resumes posted to online employment sites. In the end, Rance backed out. But there has been a 27% increase in recruits under the age of 25 who receive and transfer stolen money on behalf of criminals. If caught, they can face up to 14 years in prison. Says Rice: “It just makes you feel a bit sick.”

Or take the 300 TSB customers who recently saw their accounts emptied after desperately responding to fraudulent security alert emails after news reports of a computer system meltdown at the bank. The emails, of course, led to sites that fooled these customers into entering their login credentials. “They’ve taken all my money,” says Susie Goode, a 40-year-old mother of four. “I’m not sleeping properly because I’m so stressed. I’ve got a family to look after.”

“These fraudsters can rob people of their life savings in a matter of minutes,” says US Attorney General Jeff Sessions. “These are malicious and morally repugnant crimes.”

The question is: What will it take to stop them?

Block & Tackle

For the financial services industry, fighting back against consumer phishing attacks presents some vexing challenges.

Some FIs are deploying behavioral analytics technologies to spot patterns that could signal money mule activities. And many organizations, including those involved with real estate transactions, are implementing new safeguards against fraudulent wire transfers.

But these efforts are after-the-fact. What about stopping the estimated 12,000 unique monthly phishing campaigns that exploit their good names to defraud consumers—including their existing customers?

Traditional approaches involve identifying phishing websites and neutralizing emails containing hyperlinks pointing to these pages. But this is easily circumvented by criminals who send smaller batches of emails, each with its own unique URL.

Besides, the most devastating attacks rely on identity spoofing, social engineering and other tactics that fool recipients into thinking they’re responding to senders they know and trust.

The truth is, there are already effective ways to short-circuit most of this. But it requires ISPs to deploy advanced machine learning technologies with the kind of analytics capabilities needed to go beyond content analysis and infrastructure reputation to assess people, relationships and behaviors instead.

What’s more, a standard known as Domain-based Message Authentication Reporting and Conformance (DMARC) can prevent criminals from spoofing a legitimate business’ email domain. But today, 80% of financial institutions have yet to set up even the most basic DMARC policy parameters needed to do this effectively. While DMARC can’t prevent all forms of identity impersonation in email, it is an essential first step that every company should take

Hell to Pay

Whether these or other kinds of email security measures will be adopted anytime soon is anyone’s guess.

But with losses from email fraud expected to top $5 billion this year, the next Wrona, Rance, Smith or Goode to be victimized by consumer phishing schemes could pay a very high price for the delay.

To learn more about the rapidly evolving world of email fraud and advanced solutions for stopping it, download an exclusive white paper, “Behind the ‘From’ Lines: Email Fraud on a Global Scale

Leave a Reply

Your email will not be published. All fields are required.

October 31, 2018 Fareed Bukhari

Business Email Compromise: 54% of Email Attacks Use Display Name Deception

John Wilson is the field Chief Technology Officer at Agari, responsible for researching and utilizing…

September 26, 2018 Ravi Khatod

BEC: Future-Proofing Your Investment in Email Security

John Wilson is the field Chief Technology Officer at Agari, responsible for researching and utilizing…

September 24, 2018 Armen Najarian

The CMO's Guide to Email Deliverability

John Wilson is the field Chief Technology Officer at Agari, responsible for researching and utilizing…

September 20, 2018 AJ Shipley

With Losses from Email Attacks Rising Fast, is it Automate—or Else?

John Wilson is the field Chief Technology Officer at Agari, responsible for researching and utilizing…

September 13, 2018 Srinivas Malladi

The Chance to Work on Advanced Email Fraud Prevention Tech? Priceless

John Wilson is the field Chief Technology Officer at Agari, responsible for researching and utilizing…

mobile image