There's been a big rise in phishing attacks. This one worked

We all use email and cyber criminals know it - and they're successfully exploiting that fact to their advantage.
Written by Danny Palmer, Senior Writer
Image: Getty/Georgijevic

Email is ubiquitous in the workplace, meaning that -- whether we like it or not -- it's still the key method of communication many of us use for getting things done. 

Unfortunately, cyber criminals and scammers are highly aware of this fact, and try to exploit our reliance on email by distributing business email compromise (BEC) and other phishing attacks. 

Also: What is phishing? Everything you need to know to protect against scam emails - and worse

According to analysis of phishing email attacks by researchers at Abnormal Security, the volume of BEC attacks increased by 81% during the second half of 2022 when compared with the previous six months -- and the total attack volume has grown by 175% during the past two years. 

BEC phishing attempts are cyberattacks that see scammers pose as legitimate sources, such as your boss, a colleague, or a supplier. They trick victims into sending large financial transfers into their accounts. And the attacks are successful and can be extremely lucrative for scammers -- the FBI estimates that financial losses to BEC attacks amounts to over $43 billion so far

"When it comes to email attacks, the odds are stacked against your workforce. While employees must be right 100% of the time, threat actors need to be right only once -- and they know this," says the Abnormal email threat report. 

In addition to email being a potentially vulnerable weak point for businesses, researchers say cyber criminals are also making BEC campaigns more effective by conducting extensive reconnaissance on potential targets. 

Also: What is phishing? Everything you need to know to protect against scam emails - and worse

Information from company websites, LinkedIn, publicly disclosed financial information, and more can be used to craft spear-phishing messages -- for example, a convincing email that looks like it came directly from your boss. 

In a real-life incident detailed by Abnormal Security, cyber criminals impersonated the office manager of a small safety management business and emailed the facilities manager of a food distribution company.  

The email asked about the status of payments for outstanding invoices and indicated that the payment details had been changed. The scammer signed off by asking for acknowledgement that the email had been received -- along with the office manager's real email signature, with the company's contact information and logo. 

To add to the legitimacy of the request, there were no malicious attachments, no malicious links, and only minor issues with spelling and punctuation. The email had been sent from an address that looked almost exactly like that of the real company the scammer was mimicking, with a slight change that wouldn't be noticeable unless someone was really paying attention. 

The targeted victim was tricked and replied to the message with the requested information -- then the attacker quickly replied with the "new" bank information and asked that all future payments be sent to the account.  

When the target didn't respond to this request, the attacker, still posing as their known contact, sent a succession of follow-up messages asking for a response. Pressuring victims by claiming a reply is a matter of urgency is a common technique used in phishing attacks; and in this case, that pressure worked, and the victim replied. 

It was at this point that cybersecurity analysts stepped in to ensure that no transfer was made. However, the incident shows how persistent and persuasive BEC attackers can be -- and that businesses need to be prepared to meet the challenge of phishing head-on. 

"Because advanced email attacks like business email compromise exploits trusted email accounts and relationships, organizations need email security that can detect even small shifts in activity and content," said researchers. 

Also: The biggest cyber-crime threat is also the one that nobody wants to talk about

Employees should also be educated on tell-tale signs of BEC attacks, such as unexpected messages that demand urgency, especially if they claim the person receiving the email shouldn't phone the sender, for example by claiming they're in a meeting. This is a tactic used to avoid the victim contacting the sender for real and finding out the first message was fraudulent. 

Emails that ask you to perform a task quickly and secretly should also be viewed with suspicion -- if possible, call the person the message claims to have come from to find out if it's legitimate. 

You might worry that you could be wasting time by checking -- but it's better to be certain the message is legitimate rather than transferring hundreds of thousands of dollars to a cyber criminal. 


Editorial standards