At their heart, many criminals are also entrepreneurs – they’ve just decided to embrace the faster money and higher risks of illegal markets. However, just like other entrepreneurs, every criminal wants to maximize their ROI – increasing the amount of money they are earning while minimizing the amount they are spending. For however many dollars they put in, they can expect to get a certain number of dollars out. Here are some of the scams you need to know about.
A new type of scam which promises to enhance the ROI of many existing operations is beginning to be more frequently deployed by scammers. The Business Email Compromise (BEC), also known as ceo fraud, is a variant on conventional phishing attacks that businesses need to watch out for.
Phishing attacks use emails that are masquerading as legitimate messages, containing links or attachments that look harmless but actually enable an attacker to execute malicious code. A spear phishing email is a phishing email that has been carefully crafted for a particular recipient. These were a notable feature of the Russian attacks on the 2016 elections – a spear phishing email crafted specifically for John Podesta ended up granting GRU access to the entire DNC network.
More About Spear Phishing
Spear phishing emails are more likely to be successful than the scattergun approach that phishing spam takes. Regular phishing emails rely upon users being susceptible and, for the most part, technologically illiterate. Often the scammers will have a list of emails from some database or other – every time one of those high-profile data breaches occur that we all collectively shrug our shoulders at, millions of people’s information is exposed.
Sometimes, passwords are exposed in these breaches, although that is relatively rare. When passwords are exposed, they are usually encrypted and, if the service in question takes security seriously, they will also be salted and hashed.
However, this is not always the case. You can enter an old email address into haveibeenpwned.com to see how many times it has been exposed in a breach and any passwords that have been exposed alongside it.
The BEC scam utilizes spear phishing, spoofing, type squatting, or some other type of phishing attack, inducing the user to enter their username and password, thinking they are logging into a legitimate service.
The email itself deploys urgency and claims to have been sent at the behest of a CFO or CEO who is now in a meeting and therefore unavailable. To disguise the lack of a corporate signature, the scammers use the ‘Sent from my iPad’ signature and explain that they are using a personal device. This also enables the scammers to get away with imperfect English as mistakes are written off as autocorrect. If hackers have any additional information that they can use to make themselves seem legitimate, they will often throw that in too.
In some cases, the scammers will use social engineering to convince employees to do things they normally wouldn’t. The best way to defend against this attack is to educate your employees about it. Once they know about it, it is fortunately easy to spot. Never open attachments you aren’t expecting without verifying in person that they are legitimate. Don’t open links or attachments from email addresses you don’t recognize, even if they purport to be from someone you know.