| Executives May 26, 2020


May 26, 2020

The mobile risks beyond business email compromise

By Chris Hazelton

Business email compromise (BEC) is big business for malicious actors. According to the 2019 FBI Internet Crime Report, BEC is responsible for almost half of the $3.5 billion in cyber crime losses. Now, in the midst of COVID-19, the FBI is also warning of new BEC attacks that take advantage of these uncertain times.

BEC may seem to be an email-related attack; email is even in its name. But at its root, BEC is a phishing attack. And with the rise of smartphones and tablets, malicious messages can be delivered in a number of other ways, such as SMS messages, messaging apps like Signal and WhatsApp, and social media apps. The only difference between BEC and a more traditional credential phishing attack is that BEC leverages the trust and authority of personal connections instead of a large brand, and the losses can be much more severe – the FBI estimates that the average loss to a BEC attack is $75,000.

BEC and phishing attacks in general are decidedly low-tech, and there is no real vulnerability or exploit to speak of beyond social engineering. A company owned by "Shark Tank" judge Barbara Corcoran lost almost $400,000 from a phishing attack. The phishing attack tricked a bookkeeper into wiring money using an email address similar to Corcoran’s assistant, requesting a payment for a renovation.

Typically, phishing gangs will purchase, collect and trade business contact lists that include names, email addresses and phone numbers of CFOs, finance teams and accounts payable. A targeted message is sent, impersonating a high-ranking executive (usually the CEO) with an urgent request for payment that needs to be made, such as a time-sensitive project. Attackers often use the same strategies to create phishing messages, so their success rate is only around 1-2%, but over tens of thousands of messages a year it can add up to billions of dollars in losses.

As these attacks have become more popular with, and profitable for cyber criminals, cybersecurity professionals have started to prioritize their defense. As with any phishing attack, awareness and education are the first step toward prevention, but certainly not the only step.

And while many organizations have implemented cybersecurity training with an emphasis on email, most efforts focus entirely on desktop email clients, where users can more easily check for phishing attack indicators. Increasingly attackers are targeting mobile users to take advantage of the immediacy of mobile communications.

Mobile presents a greater challenge for targets of phishing attacks because cybersecurity training doesn’t often focus on mobile, but it’s getting better. Cybersecurity training focuses on desktop phishing indicators that are obscured on mobile since many mobile email apps do not display the sender’s email address, and limit the ability to easily preview hyperlinks to potentially fake websites. There are also so many more channels for attackers to deliver their scams. Most people don’t expect phishing links to be delivered through platforms such as SMS messages, Facebook messenger, WhatsApp or Signal.

The problem is compounded by the heavy reliance on mobile communication by organizations at all hours of the day – particularly now as the majority of users are remote workers. Business leaders communicating with their teams via mobile email or messaging apps do so with an expectation of immediate attention, which primes employees to potentially fall for phishing scams when they react hastily. And recipients of phishing messages on mobile devices cannot easily verify requests with a nearby colleague as everyone is working from home. At the same time, business leaders themselves can also be easily influenced by well-crafted requests that seem to come from their direct reports, causing them to inadvertently divulge damaging non-public information. 

There is no one-size fits all approach to preventing BEC and phishing, so there needs to be a realization that phishing attacks are not just limited to email. Any strategy focused only on email will miss the majority methods used to attack mobile users. It takes a defense-in-depth approach with phishing protection across all endpoints, including mobile devices, paired with cybersecurity training. Only in this way can organizations protect their employees from this growing threat.

Visit our phishing page to find how you can protect your organization from mobile phishing threats.


Author

Chris Hazelton,
Director, Security Solutions