By all accounts, “Operation WireWire” was a massively successful crackdown against business email compromise (BEC) rackets around the globe. But did it really just raise more alarm?
On June 11, the FBI announced that a coordinated, six-month international law enforcement action against BEC rings had led to 74 arrests in the US, Nigeria and elsewhere.
The sting included the Department of Justice, Homeland Security and partner agencies worldwide.
Its purpose: take down cybercriminals launching sophisticated phishing attacks meant to fool corporate employees into sharing sensitive information or making hefty payments to what they mistakenly believe to be trusted colleagues or partners.
According to authorities, more than 50 raids resulted in the seizure of $2.4 million and the “disruption and recovery” of another $14 million in bogus wire transfers.
So, score one for the good guys, right? Absolutely. But with losses in the US topping $5 billion over the last three years, WireWire has also cast a spotlight on a threat that should have anyone responsible for cybersecurity and corporate messaging on notice.
Barely a blip on anyone’s radar just a few short years ago, BEC ploys have emerged as a critical issue for businesses everywhere.
As it stands now, 95 percent of all successful cyber attacks start with email sent to a well-targeted victim. Thirty-percent of recipients open phishing emails, and more than 1 in 10 click on malicious attachments.
After a typical attack is launched, its first target will be compromised in under 4 minutes.
So what gives? For starters, yesterday’s typo-laden spam is long gone. For a time, content deception took precedence, through seemingly innocuous email messages and attachments designed to deposit malware. As SEG (Secure Email Gateway) vendors added anti-malware detection capabilities to their offerings, phishing morphed into something more insidious.
Today, it’s all about identity deception—targeting specific individuals ostensibly from a known or trusted sender in order to manipulate the victim into taking actions they otherwise wouldn’t—without detection.
As Information Security reports, BEC can now be categorized as an advanced persistent threat (APT) because of the profound danger it poses to organizations.
Take FACC AG, an airbus supplier that lost $54 million in a “fake president” phishing swindle in 2016. In that scenario, hackers used email to impersonate the CEO and initiate a wire transfer to a fraudulent account. Last year, Google and Facebook were bamboozled out of $100 million, though they were ultimately able to recover funds.
Today, some attacks involve sending victims what appear to be Office 365 document-sharing invites from colleagues. Some perpetrators even create LinkedIn and Facebook identities to aid in their impersonation plots.
According to the FBI, the biggest cons in BEC include wire transfers, employee W-2 forms, and real estate schemes. Indeed, these and other cons are so elaborate and convincing, even an initial response to a probe makes it 10X more likely the recipient will become a victim of an attack than the average. Which helps explain why in the first quarter of 2018, phishing represented 50% of all attempted cyberattacks. In the last year, 96% of all companies were targeted by one hustle or another.
As it happens, the arrests in Operation WireWire come as no surprise to those familiar with BEC.
Sure, Nigeria may have once been known for fraudulent emails from mischievous “princes” seeking safe harbors for their supposed fortunes. But today, it’s home to 9 out of 10 of the most notorious BEC crime rings, with operatives and money mules spread out around the globe.
According to the FBI, losses from attacks from these organized rings and others are up 2,370% in just over a year. Which means finding solutions has grown urgent.
“At its core, business email compromise is a social engineering ruse that leverages familiarity, authority and trust, which can result in billions of dollars of losses to businesses,” says Markus Jakobsson, our chief scientist here at Agari—one of only a handful of companies developing innovative solutions to help organizations fight back against BEC.
For instance, on the heels of WireWire, we announced the latest quarterly enhancements to our Identity Deception Protection solutions, including the ability for companies to “search & destroy” active email threats and gain granular visibility into fraud tactics.
Whether these or other technologies will be enough over the long term remains to be seen. But one thing seems clear.
Operation WireWire was just the tip of the iceberg. As impressive as they may be, none of us can expect even the coordinated efforts of the FBI to save us from this rapidly-evolving threat.
To learn more about the latest trends in BEC attacks, check out this special Osterman Research report surveying several organizations about their views on email security and how they deal with them.