Businesses are losing over $700m a month to cyber criminals because employees are falling victim to phishing attacks, business email compromise (BEC) campaigns and gift-card scams – and the amount of money being lost is still on the rise.
Large wire transfers are a significant percentage of the successful attacks – with the criminals behind them using phishing and impersonation attacks to trick unwary staff into handing over hundreds of thousands of dollars in one go. But the most common scam involves crooks tricking victims into sending gift cards that can be worth as little as $250.
Analysis by researchers at Agari – published in the cybersecurity company's latest Quarterly Fraud and Identity Deception trends report – found that gift-card frauds gained traction in the run up to the end of 2019, accounting for 62% of all BEC attacks, up from 56% during the previous quarter.
These attacks often involve cyber criminals taking over business email accounts and using a stolen identity to email others in the organisation to request the purchase of gift cards.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
A common tactic is to pose as someone in management asking for an employee to do them a favour – because in many cases, the employee won't question a request that's supposedly coming from their boss. The run-up to the holiday season provided criminals with the perfect opportunity to conduct gift-card attacks, as they could easily claim that the request was for Christmas gifts.
The average amount requested in gift-card attacks has risen slightly to $1,627, with the minimum amount tending to come in at $250. In some more ambitious cases, cyber criminals have asked for gift cards worth $10,000 to be transferred – by targeting employees across multiple departments at the same time.
"Gift cards have become the preferred method of cashing out for a number of reasons. First, it makes everyone at any company the potential target of a BEC attack, not just the finance and HR departments. We've seen campaigns that have targeted 30-40 employees at a single company at one time in gift-card BEC scams," Crane Hassold, senior director of threat research at Agari, told ZDNet.
Gift cards are useful for cyber criminals as they can be cashed out immediately and it's difficult to trace where the funds have gone. And because they are receiving the gift cards for free – at the expense of the victim – even if crooks sell them on at a low price, they're making a profit.
The most common requests are for gift cards for Google Play and eBay, followed by Target, iTunes and Walmart. Best Buy, Amazon, Steam and the Apple Store also make for popular requests.
The values of the gift cards requested might appear small when considered individually, but the total costs add up, especially given how the attacks remain so successful and easy to cash out.
However, more ambitious attacks are also on the rise, with the number of BEC campaigns requesting wire transfers also increasing during the quarter – and they are increasingly requesting larger sums.
These attacks require a bit more planning from the criminals. In some cases they will hack into the inbox of their target and conduct reconnaissance, and snoop on their contacts, before mimicking them and requesting a transfer of a large sum of money – sometimes in the form of an expected payment with regard to contracts or business deals.
The average figure requested in these campaigns is just over $55,000 – representing a 5% rise compared with the previous quarter. In some cases, attackers will ask for hundreds of thousands or millions of dollars; but the higher the figure, the more likely it is that suspicions will be raised, although some of these 'whaling' attacks still prove to be successful, especially for organised criminal gangs.
SEE: 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world
Criminals are attracted to BEC attacks because they're proving to be successful and they're simple to carry out. However, organisations can go a long way to preventing phishing and other email-based attacks from being successful by implementing additional security on accounts, such as multi-factor authentication, as well as human-level checks and balances.
"Companies need to understand that cyberattacks are no longer technically sophisticated. Most cyberattacks today, like BEC, are very simple social-engineering attacks and companies need to make sure they have defences in place that are equipped to deal with these types of attacks," said Hassold.
"Companies should have good internal processes in place, so payment requests, regardless of the source, are validated before they are processed," he said.
MORE ON CYBERCRIME