The human resources manager tried to be calm and reassuring, but there still was a brief moment of panic: someone, somewhere, had tried to steal Robert’s salary.
As anybody with a mortgage knows, missing pay day by just one or two days could cause a lot trouble. The manager had received an email that seemed to come from Robert (not his real name) - from an email address that seemed to be his, using his standard, corporate email signature, perfect down to the smallest detail.
The email had instructed an HR operations manager, Jonni Learoyd, who works in the London office of global public relations agency Edelman, to change Robert’s banking details. “It’s just a courtesy call, not to worry – the email was flagged by the IT department as a phishing attack, I assume you don’t want to change your bank details, do you?” asked Learoyd. Robert certainly didn’t.
Email phishing scams of this nature are nothing new. But this one is different. IT security experts call them Business Email Compromise or BEC for short; a worker receives an email from a top boss, asking them to immediately wire a large amount of money for a big deal or acquisition to a specific account. Except the sender of the email is an imposter.
Many high-profile organisations have fallen victim to this type of scam; according to recent FBI research, BEC attacks cost businesses around the world £9.52 billion over the past five years. It can hit any type of company: last year, Italian top-tier football club Lazio wired a £2 million transfer fee payment to a fraudster. In the UK, Glasgow-based Peebles Media Group is now suing a former employee for transferring nearly £200,000 to criminals .
To stay one step ahead, the attackers are now moving down the value chain, targeting executives like Robert by going directly after the pay check. Typically, they ask HR officials to redirect relatively modest sums of money to a different bank account – say a few hundreds of pounds – in the hope that the monthly diversion won’t be noticed. It’s a very low-key approach, and by the time the employee notices and raises the alarm, it’s too late. In Robert’s case, the scammers made their move just in time for payroll and tried to redirect the salary in full. “This is the first time that we’ve come across a BEC attack attempting to intercept an employee’s salary payment,” says Mark Nicholls, director of cybersecurity at Redscan.
Edelman is a large corporation, so its IT department has software installed that automatically scans all email addresses, and flags whether they originate from inside the company, or are about to be sent to an external email address. So even if the email is “spoofed” to look as if it comes from a real email account, the software will spot the difference.
Smaller firms, however, are rarely that lucky. With few software checks, it may well be the visual inspection and IT threat awareness of a lone HR manager that’s the one and only line of defence. “In a small firm, such an attack could be a real threat,” says Learoyd. At Edelman, he personally intercepted four such phishing attempts just in the past two weeks. “I’ve talked about it with my colleagues in the HR department, and it’s clear that this type of scam is on the rise,” he adds.
While the particular approach of targeting HR managers is novel, it is still a BEC – and shows that criminals are becoming increasingly creative. Security firm Agari first noticed these scams in January this year, primarily focusing on C-level executives and frequently impersonating a company's CEO. “We’ve recently seen campaigns where the impersonated targets are becoming more diverse,” says Crane Hassold, senior director of threat research at Agari. “It's also an evolution of past payroll diversion phishing campaigns,” he adds, which were very prevalent early in 2018.
AI cyber defence firm Darktrace also recently caught an attack targeting a film production studio in Los Angeles, after the account details of a contact at a trusted supplier had been compromised. The criminals read through the contact’s historical correspondence with an employee at the studio, learnt the typical tone and style of their conversations, and sent a plausible reply to the employee’s latest email. “It was practically indistinguishable from genuine communication but included a malicious link, plausibly with the motivation of obtaining VIP salary information,” says Max Heinemeyer, director of threat hunting at Darktrace. “These types of attacks are increasingly common, and very difficult to detect.”
One of the reasons that BECs are becoming more prevalent is that more and more companies are using cloud services such as Office 365 and Google Business, says Nicholls. Cloud systems tend to spot malware, so scams have to evolve from traditional phishing attacks (which try to capture credentials or attempt to infect people with malware) and instead require some social engineering, with a higher degree of interaction with the intended victims. “The attacker has to impersonate a user and actually interact with the target, which often requires considerable research and planning,” he says.
Sadly, there isn’t much that can be done to recover money sent to fraudsters. “In most instances, banks will not refund any money transferred, so unless an organisation has cyber insurance in place it will not be compensated,” Nicholls says. Prevention and detection are the best way of avoiding financial loss.
For companies it means training their HR teams and other employees to spot the new generation of phishing attempts, from spoofed email addresses to inconsistencies in presentation and language. For instance, says Learoyd, even though the email impersonating Robert looked nearly perfect, he did notice that the font in the signature was ever so slightly different. A less experienced HR employee could have easily missed it, he adds. IT teams, of course, also need to make sure that all their systems are up-to-date and have the latest security patches; all sensitive company information must be encrypted as a matter of course.
In the race to stay one step ahead, HR department also need to upgrade the technology they use to detect scams. Artificial intelligence, for example, may be able “to discern the weak indicators that would reveal this ‘trusted employee’ to be a hijacked account controlled by an attacker,” says Heinemeyer. “Within seconds of the malicious attack being detected, AI could both stop the threat from escalating and also stop other members of the HR department, and the wider company, from being hit in the first place,” he adds.
This article was originally published by WIRED UK
