In the past, phishing attacks were typo-riddled emails blasted out to a mass audience, commonly offering a reward for helping a deposed monarch get his money out of the country. Conversely, today’s spear phishing emails are personalized, professionally written, and appear to come from organizations that you do business with.
To make matters worse, business email compromise attacks aimed at high-value targets have skyrocketed in recent years. In this article, we’ll explain these schemes rake in billions and how you can prevent them. We’ll also explore how deepfake technology might take these scenarios to the next level.
Spear phishing: A minor ploy with major consequences
It’s easy to let your guard down when a fraudulent email appears relevant and addresses you by name, such as personalized bogus password reset email. Spear phishing emails tend to impart a sense of urgency (e.g., missed payment) and request some sort of immediate action be taken. This might include clicking a link to confirm account credentials or downloading an a malware-laden attachment.
It’s important to remember that spear phishing occurs on various platforms including social media accounts and messaging apps.
Example of a LinkedIn spear phishing message (Source)
Perhaps the most consequential spear phishing attack occurred in March, 2016, during the lead up to the 2016 U.S. presidential election. John Podesta, Hillary Clinton’s campaign chairman, received an email purporting to be from Google notifying him that someone had attempted to access his email account from Ukraine.
The familiar message stated “Google stopped this sign-in attempt. You should change your password immediately.” Adding to the scheme’s effectiveness, the Podesta email originated from a seemingly official—though definitely fake—googlemail.com domain.
The shortened URL contained in the spear phishing email led to a bogus phishing site that mimicked a Google password reset page. Several months after Podesta’s valid Gmail credentials were entered into a phishing website, 50,000 of his emails were leaked and the Democratic National Committee’s servers were hacked.
The rest is history.
Phishing tests are used to gauge employee susceptibility to spear phishing schemes and are an effective way to spread awareness of the attack’s effectiveness. However, a recent GetApp survey found that only 30% of businesses conduct phishing tests. That’s a missed opportunity that is well worth the return on investment. Phishing tests can be designed by an internal IT team or administered by a contracted security company,
Business Email Compromise (BEC): a billion dollar scheme
According to the FBI’s 2018 IC3 report, business email compromise was by far the costliest type of internet crime in the U.S., with reported losses totaling $1.2 billion and nearly doubling the $675 million reported in 2017.
Also known as CEO fraud, BEC schemes target executives, senior management, or any other employees with access to highly-sensitive data or payment mechanisms. Part of the reason is that BEC attacks are so costly is that they often end in a high-dollar wire transfer, payment of a fake invoice, or the transmission of payroll information.
Prior to launching BEC attacks, social engineers often research their target using online resources such as company websites, LinkedIn, and Twitter profiles. These sources tend to include job titles and departments that allow an attacker to piece together working relationships and personal dynamics within an organization. Furthermore, people commonly have personal websites that act as an online resume, providing more than enough information for a social engineer’s needs.
Email security and SPAM filtering are essential elements of IT security. However, most BEC attacks don’t breach IT security at all. Instead, they dupe employees into tossing sensitive data right over a company’s razor-tipped IT security wall. And because emails related to BEC attacks are sent only to a select few, they often slip past SPAM filters.
Earlier this year, a Lithuanian man was extradited to the United States to face wire fraud charges resulting from a string of successful business email compromise attacks. In the end the man pleaded guilty to fleecing more than $100 million from numerous companies including an unnamed “multinational online social media company.”
Deepfake technology: The next phishing frontier
Deepfake audio and video technologies convincingly mimic a person’s physical or vocal features so that they seem to be doing or saying something that never occurred in reality. And although it only recently emerged, deepfake technology is already becoming mainstreamed with apps such as ZAO and FaceApp. A recent viral video featuring comedian Bill Hader’s face swapping back and forth with that of Tom Cruise showed how far deepfake have come in a short amount of time.
Deepfake technology is poised to take the spear phishing and BEC concepts to extremes. Company leaders commonly participate in conferences, panels, podcasts, interviews, and assorted other media interactions. Audio or video from these sessions combined with machine learning techniques such as Generative Adversarial Networks (GANs) can extrapolate new video or voice data from existing data.
It’s easy to envision how this technology that will inevitably be used for nefarious purposes. In fact, a report recently emerged of AI assisted voice phishing (vishing) calls that convincingly mimicked a CEO’s voice to convince his direct report to wire $243,000 to a bogus account. Furthermore, there is widespread concern about the potential for deepfake technology to influence the 2020 presidential election.
Our fundamental abilities to discern what’s real and what’s fake are clearly eroding. One factor is the mass proliferation of confusing information on the internet. A more important factor is the sophistication of one’s digital media literacy in understanding how easily photos can be doctored, voices simulated, and faces swapped. Social engineering techniques are about to get much more aggressive and even more effective.
Best practices to prevent spear phishing and BEC attacks
If you receive an abnormal request from a colleague or superior, follow up with them using a secondary means of communication to verify the request. If they’re in the same office, simply walk over and ask, “Did you just send an urgent request to wire $2.3 million to a new copper supplier in Bulgaria?”
Better yet, all companies should develop strict policies that require a second form of verification to authorize wire transfers and the transmission of payroll or tax records.
The following best practices can also help to prevent spear phishing , business email compromise, and other IT security threats:
- Maintain unique passwords for every application and enable multi-factor authentication when available.
- Refrain from clicking on embedded links in emails. Instead, navigate directly to the company’s website via search or by typing its URL into a browser.
- Consider the type of information you share on social media, how it can be used to discern details about your personal life, and the ways it can be leveraged.
- Tighten privacy settings on social media accounts, mobile applications, web browsers, and internet-connected devices.
- Research potentially deceptive URLs, email addresses, and social media usernames that could be used for deceptive purposes.
- Beware of shortened URLs that conceal a hyperlink’s destination.
- Conduct internet searches on yourself to see what kind of information surfaces. Take a few minutes to opt-out of invasive people-search websites, such as Spokeo and Mylife.
- Develop specific processes that require a second form of verification to authorize wire transfers and the transmission of payroll or tax records.
- Conduct phishing tests to determine employee susceptibility to fraudulent emails.
- Establish a clearly defined acceptable use policy (AUP) for internet and email use.
The data security survey referenced in this article was conducted by GetApp in June 2019 using Amazon Mechanical Turk among 714 respondents who reported full-time employment in the United States.