Cyber criminals go spear phishing, harpoon executives

The email sent to a Snapchat payroll employee on a Friday in February looked authentic enough. It appeared to be an urgent directive from the CEO of the social media company.

Eager to please the boss, the recipient provided what the email asked for—some payroll information of Snapchat’s current and former employees. It was a scam. Snapchat called the FBI and offered the affected employees two years of identity-theft insurance and monitoring.

Complimentary webinar: How identity theft protection has become a must-have employee benefit

“A number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry,” Snapchat was compelled to disclose in a blog posting.

Thus Snapchat joins the ranks of thousands of organizations hacked by a stunningly simple—yet devastatingly effective—form of spear phishing, referred to by the FBI as “business email compromise,” or BEC scams.

Unlike generalized phishing scams that are widely dispersed, or spear phishing attempts crafted to entice the intended victim into clicking on a viral attachment or to a malicious web page, BEC scams are 100 percent social engineering. They involve a one-off message sent to a specific employee at an opportune moment.

Related story: BEC hacking fuels faked tax return scams

The attacker first goes through pains to construct a persuasive request for the recipient to willingly carry out an action, such as transferring funds into a “mule account” controlled by the criminals, or forwarding sensitive documents.

‘Whaling’ attacks surface

Also referred to as “whaling,” “human hacking” and “CEO fraud,” BEC scams pivot off abusing a trust relationship between two individuals, usually a superior and a subordinate. And because there is no viral attachment or malicious URL involved, there is precious little for traditional email filtering systems to detect.

BEC scammers hit the Asia Pacific region hard last year, particularly targeting companies in Australia and New Zealand, according to a recent report from security firm PhishLabs.

And in the United States, more than 7,000 U.S. companies have fallen victim to BEC scams since late 2013, when the FBI’s Internet Crime Complaint Center began tracking them. Total dollar losses have exceeded $740 million. That doesn’t include victims outside the U.S. and unreported losses.

The rise of BEC attacks is, in a way, a byproduct of the progress made in thwarting other types of viruses, malware and traditional phishing scams. “Cyber criminals have learned that not using malware is a great way of getting into organizations and enterprises because there’s nothing to signature,” says Orlando Scott-Cowley, cybersecurity strategist for Mimecast, an IT security firm that has developed a service—Impersonation Protect—to address the threat.

“There are numerous organizations here that have horror stories of losing millions of dollars,” Scott-Cowley says. “I think the largest single transfer we found was $10 million.”