Report from the ‘From” Lines (Part 1 of 3)
From bank account takeovers, to real estate cons, to romance scams and more, cruel consumer phishing tactics are leading to devastating losses for victims
But is advanced email security really the answer?
Sean Smith and Erin Wrona are quite familiar with the crushing cost of email fraud. For them, the price tag was $1.57 million.
According to reports, the Washington DC-area couple had put aside that money to pay for their five-bedroom, 2,300-square-foot dream house. They’d already put down a $200,000 deposit on the home earlier in the year. So when they received an email asking them to proceed with wiring the remaining funds to their title company, they just assumed the message was legit.
It was anything but. As it turns out, a cybercriminal had hacked into the title company’s servers and sent the couple an email asking them to wire the money to a bank account that, unbeknownst to anyone, was controlled by the thief.
For Smith and Wrona, it was an unwelcome introduction to the burgeoning world of consumer email fraud. But if it’s any consolation, they’re hardly alone.
According to the FBI, up to $1.4 billion in real estate transactions are diverted through email scams each year, making it one of the fastest growing cyber crimes in the country. Unfortunately, solutions to this and other consumer phishing tactics grow more elusive by the day.
Breaking Hearts, Draining Bank Accounts
Indeed, whether it’s real estate, banking, lending or any other industry, consumer-centric email fraud typically involves criminals sending out deceptive emails that appear to come from a trusted source—a respected brand, a financial services firm, an email service provider—or even a romantic suitor.
Just ask the Houston-area divorcee courted by “Charlie,” a “construction worker” she met online. For her, it started innocently enough with playful posts on Facebook. But things eventually progressed to extended email exchanges through which “Charlie” conned her out of $30,000 in wire transfers—and eventually the bulk of her life savings. “I was looking for happiness,” she says. “I thought I could find that with Charlie.”
Then there’s 20-something Kayleigh Rance, who was nearly recruited to be a money mule after grifters sent out fake job lead emails to contacts harvested from resumes posted to online employment sites. In the end, Rance backed out. But there has been a 27% increase in recruits under the age of 25 who receive and transfer stolen money on behalf of criminals. If caught, they can face up to 14 years in prison. Says Rice: “It just makes you feel a bit sick.”
Or take the 300 TSB customers who recently saw their accounts emptied after desperately responding to fraudulent security alert emails after news reports of a computer system meltdown at the bank. The emails, of course, led to sites that fooled these customers into entering their login credentials. “They’ve taken all my money,” says Susie Goode, a 40-year-old mother of four. “I’m not sleeping properly because I’m so stressed. I’ve got a family to look after.”
“These fraudsters can rob people of their life savings in a matter of minutes,” says US Attorney General Jeff Sessions. “These are malicious and morally repugnant crimes.”
The question is: What will it take to stop them?
Block & Tackle
For the financial services industry, fighting back against consumer phishing attacks presents some vexing challenges.
Some FIs are deploying behavioral analytics technologies to spot patterns that could signal money mule activities. And many organizations, including those involved with real estate transactions, are implementing new safeguards against fraudulent wire transfers.
But these efforts are after-the-fact. What about stopping the estimated 12,000 unique monthly phishing campaigns that exploit their good names to defraud consumers—including their existing customers?
Traditional approaches involve identifying phishing websites and neutralizing emails containing hyperlinks pointing to these pages. But this is easily circumvented by criminals who send smaller batches of emails, each with its own unique URL.
Besides, the most devastating attacks rely on identity spoofing, social engineering and other tactics that fool recipients into thinking they’re responding to senders they know and trust.
The truth is, there are already effective ways to short-circuit most of this. But it requires ISPs to deploy advanced machine learning technologies with the kind of analytics capabilities needed to go beyond content analysis and infrastructure reputation to assess people, relationships and behaviors instead.
What’s more, a standard known as Domain-based Message Authentication Reporting and Conformance (DMARC) can prevent criminals from spoofing a legitimate business’ email domain. But today, 80% of financial institutions have yet to set up even the most basic DMARC policy parameters needed to do this effectively. While DMARC can’t prevent all forms of identity impersonation in email, it is an essential first step that every company should take
Hell to Pay
Whether these or other kinds of email security measures will be adopted anytime soon is anyone’s guess.
But with losses from email fraud expected to top $5 billion this year, the next Wrona, Rance, Smith or Goode to be victimized by consumer phishing schemes could pay a very high price for the delay.
To learn more about the rapidly evolving world of email fraud and advanced solutions for stopping it, download an exclusive white paper, “Behind the ‘From’ Lines: Email Fraud on a Global Scale“