FBI Cautions: Cybercriminals Using Email Attacks on the Rise
Cyber Strategy Session
Cyber Strategy Session

FBI Cautions: Cybercriminals Using Email Attacks on the Rise

Email is the Gateway to Cyber Crime

In March of this year, the FBI released the Internet Crime Report for 2022.  What the FBI has shared is nothing short of astounding and should have business owners on high alert. Microsoft’s Digital Crimes Unit has reported to the FBI a 38% increase in cybercrime, targeting business emails between 2019 and 2022. The report has revealed that in 2022, email hacking reported to the FBI resulted in losses over $2.7 billion worth of losses due to Business Email Compromise (BEC) alone. BEC is a socially engineered cybersecurity scam that targets businesses so that individuals transfer money into an account set up by cybercriminals. According to the report, scams involving transactions totaled more than $590 million dollars for 2022. Additionally, Microsoft Threat Intelligence detected 35 million attacks between April 2022 and April 2023, for an average of 156,000 BEC attempts daily. The report further states that email is the entryway to 91% of all cyberattacks.

Who are the targets?

Any unsuspecting individual is subject to be a victim of these attacks. Commonly cybercriminals mimic CFOs and CEOs or Human Resources managers. However, any employee can be sent an email from an imposter and is therefore subject to be a victim of this type of crime. These criminals are highly sophisticated as they prey on an individual’s lack of time (hastiness) when reading emails, lack of knowledge, and by mimicking or hacking into a familiar email account so that the requests seem legitimate.

What does the future of these scams look like?

As shared in an article from April 2023, The Harvard Business Review states, “The FBI’s 2021 Internet Crime Report found that phishing is the most common IT threat in America. However, most phishing scams are easily recognizable, as they’re often littered with misspellings, poor grammar, and awkward phrasing, especially those originating from other countries where the bad actor’s first language isn’t English. ChatGPT will afford hackers from all over the globe a near fluency in English to bolster their phishing campaigns.”

One growing concern is about the development of ChatGPT and its ability to impersonate individuals.  With the sophistication of ChatGPT, criminals can export sent emails (for example) to teach ChatGPT to write in the style of the CFO or CEO.  As a result, cybercriminals can better mimic email exchanges with correct grammar and in the same tone as the individual whose email they are impersonating, so that the email or email exchanges seem credible.  Once trust is built with the recipient, the criminal can change billing information for invoices, change passwords to bank accounts, or gain access to their computer. Another route the cybercriminal can take is exporting all mail and using ChatGPT to enhance phishing months into the future. The cybercriminal will wait for about six months or so and then send fake invoices for something the recipient is expecting but with the wrong payment account information. It may not be until months later that the scam is discovered.

Another tactic that is on the rise is HTML smuggling; a technique used to install malware using email campaigns. Cybercriminals smuggle malicious script encoded with codes that are installed when clicking on an email attachment or from a web browser. Microsoft states, “…There are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection. Therefore, organizations need a true ‘defense in depth’ strategy and a multi-layered security solution that inspects email delivery, network activity, endpoint behavior, and follow-on attacker activities.”  As this article continues to point out, the best defense is a proactive approach.

 

Homeless Charity, One Treasure Island: $650,000 BEC loss

In June 2021, a San-Francisco based not for profit organization, One Treasure Island lost hundreds of thousands of dollars to cybercriminals. The organization aims to help low-come and homeless people to achieve stability by providing loans and grants in the surrounding geographic area. Email hackers were able to break into the email system of their third-party bookkeeper and from there joined existing email threads and pretended to be individuals associated with the nonprofit by using similar email addresses. By manipulating a legitimate invoice, the hackers were able to deceive the staff so that they thought they were transferring the loan amount to a partner organization. Instead, the money was deposited into the bank account set up by the hackers. Meanwhile, the hackers emailed the intended recipient to let them know that the loan transfer was going to be delayed due to a yearly tax audit. The total amount lost was $650,000.

According to The Wall Street Journal, it wasn’t until more than a month later that the Executive Director of One Treasure’s Island realized during a Zoom call the scam had occurred when she learned that the recipients never received the money. Unfortunately, the non-profit did not have cybersecurity insurance and the FBI eventually declined their case. After working with local investigators where the crime occurred, the Executive Director was able to recover only $37,000.

What does this mean for me and my business?

Is the cost of cybersecurity worth it for my company? Aside from damage to your company’s reputation, once criminals gain access to your email, they can change your passwords, banking routes, two-factor authentication, etc. For example, a cybercriminal could change your website password to login to your cell phone service provider. Cybercriminals can then change your two-factor authentication method and then gain access to your bank and retirement accounts.

Criminals will also use your email as a base to scam and infect more people. They will use your email to send fake attachments to your contacts that allow remote access to their computer. At that point they have access to that company’s network. The hacker will use this as a basis to gain full control of the network, export critical data and encrypt all servers and computers. This will end in a request for a ransomware payment.

What Can I Do to Protect my Company?

Running a business means there will always be unavoidable risks, as there is no guaranteed way to fully prevent a cybersecurity attack. Some of Microsoft’s recommendations to create a defense against BEC attacks are listed below:

  • Use a secure email solution: Today’s cloud platforms for email use AI capabilities like machine learning to enhance defenses, adding advanced phishing protection and suspicious forwarding detection. Cloud apps for email and productivity also offer the advantages of continuous, automatic software updates and centralized management of security policies.
  • Secure Identities to prohibit lateral movement: Protecting identities is a key pillar to combating BEC. Control access to apps and data with Zero Trust and automated identity governance.
  • Adopt a secure payment platform: Consider switching from emailed invoices to a system specifically designed to authenticate payments.

Advice

Advice for individuals to remember to avoid falling for a BEC scam and mitigating risks include:

  • If an email involves any kind of financial, gift card, or cryptocurrency transaction, carefully review the email for anything suspicious. Indicators that can raise alarm include an inaccurate email address, spelling or grammar issues within the email, the email is sent from the wrong time of day, etc.
  • If the email is supposed to have come from a co-worker always confirm with your co-worker (via phone or in-person) that they did send you the email.

As Microsoft has stated in a newly released article regarding the subject of BEC, “BEC attacks offer a great example of why cyber risk needs to be addressed in a cross-functional way with IT, compliance, and cyber risk officers at the table alongside executives and leaders, finance employees, human resource managers, and others…” Managed Service Providers (MSPs) can support companies by educating company employees and using cybersecurity scams.  MSPs cannot stop cybercriminals from BEC attempts, but MSPs can help companies at risk by staying up to date on the latest cybersecurity tools, cybercriminal trends, provide training to companies, identify threats, run scans, create, and adapt defenses.

Work With A Partner

With the ever-changing cybercriminal world and AI advances, both employees and MSPs (Managed Service Providers) need training. MSP providers should be equipped with tools to be both proactive so that these cybercrimes are lessened and that they can be reactive for when cybercrime occurs, so your company’s reputation and data is safeguarded. To create a custom plan for your business, reach out to us at 4BIS to learn more.

Author

  • Christina Teed

    Christina is a highly experienced professional with over fifteen years of work in various fields. She holds a Bachelor's degree in English Education and Theatre, which has provided her with a strong foundation in communication. Throughout her career, Christina has developed a diverse range of skills including program management, public speaking, leadership development, interpersonal skills, education, operations, project management, and leadership. At 4BIS Cybersecurity, Christina has held several roles including working as a tech on the helpdesk, various administrative responsibilities, digital creator, and content creation. With her wealth of skills and experience, she brings a unique blend of creativity, communication, and leadership to her work, making her a reliable and effective professional. However, Christina's favorite role in life is that of a dedicated wife and mom.

    View all posts

Sign Up For Our Newsletter

Enter your email to receive the latest news and to learn about interesting events.