Search Close
Email Security Blog

Social Engineering: The Weapon of Choice for Email Scammers

John Wilson November 15th, 2018 Social Engineering

October’s blockbuster report from the Security and Exchange Commission on its investigation into nine publicly-traded companies swindled out of $100 million through email scams was certainly alarming.  

But one key element stood out for me—the fact that none of the attacks involved malware or malicious links. The fraudsters’ weapon of choice was plaintext email messages. These emails relied on identity spoofing and social engineering tactics to manipulate recipients into wiring millions of dollars by making them believe they were reacting to a known and trusted sender.

According to the report, one of the companies made 14 separate wire payments for fake invoices over the course of several weeks—racking up $45 million in losses. Another paid out $30 million.

Though it’s true that some email attacks still include phishing links or attachments with spyware, ransomware, or any kind of “-ware” you can think of, it’s the criminal use of human psychology in simple, innocuous-looking email messages that is quickly becoming the number one cybersecurity threat to businesses and consumers alike.   

Double Trouble

But how can this really be possible? How can smart people be fooled into revealing sensitive information or wiring money (and apparently lots of it), simply by receiving an email purporting to come from a known business or individual?

You’d be surprised. For one thing, we’re not talking simple spam here. Not by a mile. Today, networked cybercrime rings produce emails that can be so well researched and so exquisitely targeted that they can be virtually indistinguishable from messages sent by a trusted colleague or brand.

Adding to the impersonation? Ploys such as display name fraud, lookalike domains, and, when possible, previously hijacked email accounts that can be used to easily defraud their prey. Sometimes, it even involves meticulous grooming over weeks or even months as fraudsters gain the trust of unsuspecting employee or consumer targets. As a whole, these efforts appear to be well worth the effort.

Angles of @ttack

Today, a typical business email compromise (BEC) campaign will snare its first victim in just under four minutes, often with queries about a past-due invoice or updates to payment details.

Sometimes, these schemes entail a late-afternoon message purported to come from a top executive reading, “Are you still at your desk?”

Or even better, they’re sent just after regular business hours, increasing the odds the recipient will read the message on a mobile device. Why? Because most mobile email clients display only the sender’s name as a default—not the email address. Recipients pressured to act quickly while out of the office may react to messages that appear urgent without thinking to confirm legitimacy.

The SEC report makes clear just how financially remunerative these rackets can be. In fact, according to the FBI, more than $12 billion has been pilfered through such cons since 2013.

Then there are your customers.

Fast Money, Long-Lasting Effects

Phishing attacks targeting consumers typically involve impersonating well-known brands from a variety of sectors. Consumer packaged goods, media, retail, fast food, real estate, banking, government, and just about any other industry you can imagine can be leveraged as the bait in a phishing scam.

Here too, social engineering is central to success. By projecting urgency—”Password Check Required,” “Your Payment Has Been Declined,” or “Security Alert,” for instance—these emails are designed to fool recipients into responding quickly before facing some perceived consequence. Last year alone, consumers lost $172 billion through these and similar online scams.

When it’s your brand that gets impersonated, victims often unfairly blame your company, sharing their outrage on social media. Even when a customer hasn’t been personally duped, publicity about cons bearing your brand name can mean they’ll be hesitant to open the next email you actually do send.

Not only can victims face financial ruin, but the ripple effect can also have serious repercussions to your bottom line. Among other things, it can hobble marketing efforts in a channel that’s 40 times more effective at generating revenue than any other digital medium at your disposal. The impact can be long-lasting, with negative stories simply one Google search away.

Traditional Email Security Isn’t Enough

Unfortunately, while traditional secure email gateways (SEGs) and other email security solutions are generally quite good at ferreting out malicious links and malware, they haven’t proven effective at countering fraud attacks that are primarily propelled by social engineering.

Instead, some organizations are finding they need to deploy artificial intelligence-based technologies that apply behavioral analytics to understand the relationships between sender and receiver to sniff-out socially-engineered email attacks.

As for protecting customers? That can be even harder. While many organizations have implemented the Domain-based Message Authentication Reporting and Conformance (DMARC) standard that can help recipient systems spot brand impersonators, only 20% of them have set up the DMARC policy parameters needed to do this effectively.

In this four-part series, we’ll delve deeper into social engineering-driven email attacks—including romance scams and email-based real estate scams that together have cost consumers and businesses more than $1 billion in just the last year. 

We’ll also take a closer look at solutions that combine machine learning and globally crowdsourced threat intelligence to defeat sophisticated con artists in order to protect themselves and their customers from attacks aimed at robbing them blind.

To learn more about improving your defenses against the #1 cybersecurity threat businesses and consumers face, download “Email Security: Social Engineering Report” from Agari and ISMG now.

Leave a Reply

Your email will not be published. All fields are required.

mobile image