Email fraud warning: Now hackers want your data as well as your money

More people are being targeted in business email fraud attacks -- and information is increasingly the target as well as cash.
Written by Danny Palmer, Senior Writer

Video: How to help yourself against phishing. Attacks remain most common cyber-threat

Fraudsters are launching phishing campaigns that come in the shape of emails pretending to be from someone within the same organisation as the victim -- and the crooks are increasingly targeting data rather than money.

Email fraud, particularly business email compromise, hit the headlines when the FBI said this particular form of cybercriminal activity cost victims $1bn over the course of a year.

New research from security company Proofpoint suggests the number of email fraud attacks is on the rise.

According to the report, three-quarters of organisations believe they've been targeted once, while two in five firms believe they've been the target of multiple attempted attacks.

While the attacks involve some care and effort by the attackers -- they need to look like someone the victim can trust -- they're widening their reach, targeting larger numbers of people within organisations.

Download now: IT leader's guide to cyberattack recovery

"A change we've experienced in Q4 over previous quarters is the number of people within an organisation that are targeted with these attacks doubled," Robert Holmes, vice president of Email Security Products for Proofpoint, told ZDNet.

Traditionally, the attackers would attempt to go direct to the individual with the greatest access to the money -- the CFO -- often sending emails claiming to be from the CEO requesting a transfer of funds.

However, while some of these attacks have proved successful, for the most part, chief financial officers haven't got to where they are by just handing out funds to anyone who asks.

So now attackers are moving down the company hierarchy, targeting the likes of human resources, accounts, finance, and even technology teams in an effort to conduct successful attacks. After all, if a worker gets a message that claims to be from someone at board level, the attackers hope they're going to follow the orders.

But while being a victim of email fraud and losing money as a result of transferring funds to criminals brings a huge financial hit to organisations, attackers are also increasing their interest in using this type of campaign to covertly gain access to data.

"More companies that were hit with email fraud coughed up sensitive or confidential data than actually lost money," said Holmes.

"Business email compromise may have been something more concerned via wire transfer fraud, but there's also the issue around losing data which, with GDPR just around the corner is going to be concerning," he added, referring to upcoming legislation, which could result in organisations being fined for data breaches.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

Not only that, but if sensitive information is leaked, it could lead to the organisation being at risk from further attacks, be they from those who carried out the initial campaign -- or anyone else they sell access to the information to on the dark web.

"If you're stealing payroll data, that could be valuable in of itself. But also there's the whole reconnaissance phase of the kill chain and if I know who is in what role in which companies and dealing with what vendor, that becomes extremely valuable information on the dark web," said Holmes.

According to the report, more than three-quarters of organisations believe that they could fall victim to business email compromise over the next twelve months.

In order to combat the threat of these attacks, it's useful for organisations to invest in technology that can identify these messages, while organisations should also train employees to be suspicious of any unexpected emails demanding money, especially if they are from someone within the company that they haven't directly dealt with before.

If in doubt, they should directly ask the person themselves -- in person, if necessary -- about the purported enquiry.

While business email fraud attacks aren't as prolific as some other forms of cyber-attack, they still pose a risk to organisations, and that risk will only become more significant if more attackers believe they can get a piece of the pie.

"If the bad guys can systematise this, if they can turn aspects of it into 'as-a-service', then this starts getting a lot more serious as they're able to scale. I still think it's going to be highly targeted, but if you do highly targeted at scale, it becomes a very big concern," said Holmes.

Recent and related coverage

Symantec says biometrics isn't the answer for protecting against financial fraud

With Australians to soon transfer money in near real-time, banks will need to up their fraud detection capabilities, but Symantec's local CTO has said biometrics isn't the way to do that.

This Netflix-flavoured phishing attack targets your business emails

Attackers take advantage of people using corporate email addresses for consumer services.

Ransomware, cyber-extortion and GDPR: Three security headaches ahead for charities

Ransomware and business email compromise attacks could be 'devastating' for charities, says tech security agency.


Editorial standards