The US Federal Bureau of Investigation (FBI) has reported the continuing explosion of Business Email Compromise (BEC) attacks as the practice becomes a US$ 5 billion (£3.86 billion) business.
Between October 2013 and 2016 the total international reported loss from such scams is US$ 5,302,890,449 (£4,100 million), with US bodies taking up nearly US$ 1.6 billion (£1.24 billion) of that number.
That number is drawn together from a variety of reported sources, including complaints to the FBI's cyber-crime body, IC3. There may be many such incidents which are unreported leaving the true global cost of BEC as yet unknown.
The scam continued to be a favourite of cyber-criminals from January 2015 to December 2016, a period that witnessed the skyrocketing of identified exposed losses by 2,370 percent.
At its heart, BEC or Whaling is simple. Once an attacker chooses a target, they will spoof an email address or compromise a mail server and then impersonate an individual within the targeted company or at least intimately associated with it.
Attackers take a great deal of time to research their targets before crafting an intricately considered email to trick their targets.
Social media often provides a great bounty of seemingly innocuous data for a cyber-criminal to cobble together and exploit. “There are daft links that you would never even dream of”, Richard De Vere, a pentester and director of The AntiSocial Engineer, told SC Media UK. If you post a picture of your new car on social media, a Whaler might see your licence plate and then use it to figure out all manner of information, including where you got the car from. A short spoofed email later, they're impersonating your dealership and saying you owe them £2,000.
“Having access to someone's social media just opens up so many little variables and tangents”, said De Vere, “its linking it up that's the key”
That email will often be sent to a senior executive or key member of the human resources or finance department and direct its recipient to initiate a wire transfer, direct payment to a particular account or to hand over business critical information.
Messages will often be sent at the end of a week or working day to catch their recipients off guard and typically adopt a hurried tone in an attempt to get their victims to abandon their sense of scepticism.
The FBI notes that scams of this variety are becoming increasingly similar, paring down in diversity to just a few predominant forms. Conmen will often pretend to be a lawyer with access to confidential information, others will pretend to be a foreign supplier chasing an invoice for services rendered and some will even attempt to initiate hurried wire transfers into ‘company accounts'.
In any case, successful attacks end with compromised data or stolen funds. Asian banks are still the primary destination of those stolen funds, according to the FBI, but the United Kingdom is also a popular recipient of the ill-gotten gains.
The advisory notes that the continuing popularity of the scam does not appear to be the result of wild new developments in the area. The FBI noted that the classic form of the scam has benefited from a resurgence.
So what accounts for the enduring popularity and wild, if formulaic, success of this particular scam?
Vince Warrington, founder of Protective Intelligence Ltd thinks that the executive commonly targeted by such attacks is often just a little too old to have organically developed a security mindset: “It's really difficult for people at that end of this to even have the idea that someone would try and rip them off using this means. It just doesn't seem to register at all.”
Cyber-education is often quite a bit about educating the end user, but senior management are often left out: “Thats where we fall down because they don't expect it, they don't realise it's a threat and they're never told about it.” People often assume that cyber-crime is purely a technical problem, without realising that it so often employs a modern platform to pull off some of the oldest confidence tricks in the book.“It's how people work”, said De Vere. People just don't expect the business-critical tools they use minute-to-minute to be unsafe.
Tiago Rosado, an independent cyber security advisor told SC that there is neglected tech there to help those that might be vulnerable to BEC attacks: "things like digital signatures using CAs or PGP/GPG should be used on emails, they have been around for at least 20 years still most companies do not use it. Or even better using a blockchain ledger, something that some Banks and other companies are actively working on."