ITBusiness.ca

Business email compromise scams getting more sophisticated: Report

Messaging scams that try to trick employees into performing risky transactions continue to dog organizations.

In a report released today, Trustwave said a category of cons called business email compromise (BEC) scams followed a historical trend by jumping in January and February before settling down.

More importantly, attackers have come up with a new tactic: Instead of sending an email purporting to be from an executive and asking for action — paying a supposed invoice or changing payments to be made to a bank account controlled by the threat actor — the message asks the employee to email a supposed staffer of a company. It’s a way of convincing the victim of the legitimacy of the message.

For example, the first email sent by the supposed executive tells the employee that a representative from a financial company is requesting payment for an unpaid invoice. The employee is told someone from that company will be emailing them. It’s not uncommon for this first message to use the real name of that contact person.

The second email the employee gets is from the supposed contractor/supplier/partner and repeats the request for payment of the overdue invoice. A variation of this scheme has the supposed employer telling the employee to contact the other company (by email, of course).

“To make the scam appear legitimate,” notes Trustwave, “these emails contain specific information such as an invoice number and date of scheduled payment. They are also longer in content and written in a professional manner, unlike traditional BEC emails. The vendor representative names are real employees of the financial institutions that the scammers use in their invoice fraud scheme.”

One clue the message is a scam: It comes from a free email service like Gmail. In the first half of this year, 84 per cent of BEC messages detected by Trustwave came from free webmail addresses.

Related content: Employees still too gullible

BEC uses different bait topics to gain the attention of their victims, the report says. These include

Regular employee security awareness training is one way these and similar scams can be blunted.

Exit mobile version