Over the last four years, the information security community has learned a lot about business email compromise (BEC) and the inner workings of Nigerian cybercrime rings who have made it their mainstay.
At Agari we often talk about the evolving nature of advanced email attacks and the identity deception tactics that go with them. These attacks bypass legacy controls and like a magician delighting a curious audience, they trick the human psyche by targeting core human emotions such as fear, anxiety and curiosity. Of course, the magic in this case comes with ill intent.
A good example of a sophisticated attack and one that we address in the Agari Fall’19 release is the use of email with voice message attachments to execute phishing schemes.
Here’s some earned media you don’t want for your brand—headlines announcing that your customers are victims of a “nasty phishing scam” or that your “accounts are under attack.” Verizon and Microsoft have had to manage those headlines in recent months. And other tech companies are vulnerable to the same kind of brand damage right now. That’s because organized cybercriminals are going all-in on brand impersonation scams, and many tech brands have yet to shore up their email security.
Have you ever received a blank email from someone you don’t know? If you have, it may have been from a cybercriminal making sure your email account is legitimate prior to a Business Email Compromise (BEC) attack. Agari and PhishLabs define BEC as any response-based spear phishing attack involving the impersonation of a trusted party to trick victims into making an unauthorized financial transaction or send sensitive materials.
Want to know how email became the number one attack vector for cybercriminals?
Receipts and invoices—two accounting powerhouses that require little introduction. But step a little further into the world of finance and accounts, and you can quickly become a fish out of water, as the terminology to this numerical land seems to multiply exponentially.
DMARC adoption rose a tepid 1% in the first quarter of the year, with the rate of growth slowing compared to the last three months of 2018, according to our latest report on email security trends. That said, nearly 90% of Fortune 500 businesses remain unprotected against email-based impersonation attacks targeting their customers, partners, and other businesses. But Australian companies lead their peers around the world in putting the public at risk.
There is no denying that business email compromise (BEC) is big business, with losses exceeding a billion dollars in the United States in the last year alone. Globally, BEC attacks have cost more than $13 billion in the last five years. Chances are likely that you’ve probably been a recipient of one of these social-engineered emails yourself. But the question remains… who is behind these increasingly sophisticated email attacks, and why did they become so popular in recent years?
In B2B email marketing, nothing says amateur hour like a landing page with the words "Not Secure" in the URL. A missing SSL certificate is bad enough, but it's the lack of something called "Domain-based Message Authentication, Reporting & Conformance" (DMARC) that could obliterate your KPIs and cost your company millions in brand reputation and revenue.
Enterprise email architecture is evolving, which is good news for cybercriminals. Legacy secure email gateways (SEGs) simply don't provide full protection from today’s evolving and costly attacks, and cloud-based email requires a new security approach.