The FBI’s latest Internet Crime Report (IC3) revealed that US victims lost more than $2.7 billion to internet crimes in 2018, bringing the four-year total to a stunning $7.45 billion. Email fraud led the pack in terms of cost, with phishing, spear phishing, and gift card scams being the most prevalent forms of email attack.

Business Email Compromise Attacks Cost US Businesses $1.2 Billion

Business email compromise (BEC) attacks represent nearly half the total losses in 2018. The IC3 report revealed that BEC attacks cost US businesses more than $1.2 billion in 2018, doubling losses reported in 2017 and tripling that of 2016.

One of the most costly forms of spear phishing, BEC attacks hit more than 20,000 victims in 2018. In this scam, a cybercriminal impersonates an executive and requests an employee to execute a wire transfer, often to the tune of millions. Because of the high payoff, cybercriminals often use pretexting, a form of social engineering, to improve their chances of success. First, the cybercriminal ensures that the victim has the authority to execute the wire transfer, then they make the request. Often, they will exchange multiple emails with the victim to gain their trust.

In a recent example, St. Ambrose Catholic Parish in Brunswick, OH was scammed out of $1.75 million in a BEC attack. While the church was undergoing renovations, hackers managed to compromise internal Office 365 email accounts. Once inside, they convinced other employees that the construction company doing renovations on the church needed to change their bank account information. When the church paid the construction company two bills totaling $1.75 million, the funds went into the hacker’s account. The church did not become aware of the compromise until the construction company reached out and asked why the recent bills had not been paid.

[Report] IDC Analyst Connection: Email Security: Maintaining a High Bar When Moving to Office 365

Gift Card Scams Spike

According to the FBI, complaints of gift card scams increased significantly in 2018. In this spear phishing attack, a hacker spoofs an email and requests an employee to purchase multiple gift cards. Email spoofing alone cost US victims $70 million in 2018. It comes in many forms and with various levels of sophistication:

  • Visible alias spoofing: The hacker simply creates an email address with the purported sender’s name in the hopes that the victim won’t notice that the email address is different—they often don’t.
  • Close cousin spoofing: An email address that looks similar to a real email address but includes only a slight variation, such as an additional letter.
  • Domain spoofing: Easier to detect than close cousins thanks to authentication protocols like DMARC, domain spoofing is a variant of spoofing in which the email appears as an exact replica of a legitimate email address.

Many gift card spear phishing emails spoof top executives. This tactic is effective because it pressures victims to act fast and fear professional consequences if they don’t meet the request. In 2018, one of our own employees received a gift card spear phishing email from a cybercriminal impersonating Vade Secure’s CEO. The warning banner built into Vade Secure for Office 365 alerted the employee to the scam:

Direct Deposit Phishing Is on the Rise

Another BEC attack that saw increases in 2018 was the payroll diversion attack, which cost US businesses more than $100 million. In this scam, a cybercriminal sends a phishing email to an employee to harvest their login credentials for the company’s HR platform or other employee portal. Once the hacker has the credentials, they change the employee’s direct deposit information and divert the funds to their own account.

In 2019, Vade Secure reported an increase in direct deposit spear phishing attacks, a more targeted form of payroll diversion phishing in which a cybercriminal targets an HR employee and personally requests the direct deposit change. This spear phishing variant is easier to execute because it requires only an email, while phishing requires the hacker to create a sophisticated landing page.

[Infographic]: The Bigger the Target, The Easier The Aim

Phishing Continues to Dominate

Phishing alone accounted for more than $48 million reported in losses in the US in 2018, dwarfing malware, which cost victims more than $7.4 million. This is consistent with what we’ve been seeing over the course of the last year. The relative ease of creating phishing emails and landing pages, compared to that of complex malware code, makes it a formidable threat that shows no signs of slowing. In Q4 of 2018, Vade Secure alone detected 80,707 unique phishing URLs, with Microsoft being the most impersonated brand in phishing attacks.

Even more threatening is when phishing is combined with phishing, also known as a multi-phase attack and a popular tactic for breaching Microsoft Office 365 accounts. In a multi-phase attack, hackers begin by harvesting account credentials via a phishing webpage. Once they’ve gained access to Office 365, they have the ability to conduct internal spear phishing attacks, impersonating other employees to convince them to divulge even more account credentials or to complete certain financial transactions, as was the case with St. Ambrose Parish.

Protecting Your Business

The increasing sophistication—and success rate—of email attacks, combined with staggering amount of losses reported, reveals that businesses need to invest not only in employee awareness training but in email security. Phishing is extremely difficult to detect. Unless a URL in the email is a known phishing webpage, the email will slip past most reputation-based email filters. Spear phishing is even more difficult to detect because spear phishing emails don’t include URLs or other code in the body of the email for the filter to scan.

Newer solutions that use artificial intelligence to detect unknown threats conduct a behavioral analysis on the entire email, not just the URL, searching for abusive patterns, anomalies in email addresses, and obfuscation techniques, such as URL redirects. Compared to reputation-based email filters, AI-based security solutions not only have a better catch rate but also the ability to learn from their mistakes.

Learn how Vade Secure for Office 365 protects businesses from phishing, spear phishing, and malware.