The consequences of phishing emails.
Two days ago the FBI and the Crime Complaint Center (IC3) put out a press release warning of a new man-in-the-middle attack. The FBI has dubbed this attack the “Business E-Mail Compromise”… Very original of them! This attack has primarily targeted CEO’s, CTO’s, CFO’s and sometimes Controllers. Over the last 14 months there have been 1198 reported cases of this latest attack. In these cases the attackers have already penetrated the company network using phishing emails. Once they have penetrated a network the attackers will identify key C Level execs that they will then monitor over the course of several months.
The idea is to learn as much as possible about the execs and their relationships with their vendors. When they feel like they have learned an adequate amount about their target they will compose an email posing as the vendor that the exec has an established relationship with. They will usually ask the exec to transfer funds to a bank account. These emails will usually reference some recent delivery or transaction between the vendor and the exec. These emails are completely bogus and the bank account eventually ends up in Hong Kong (meaning that you would most likely be dealing with the Chinese cyber mafia). It is estimated that over 180 million dollars has been stolen using this method.
Although the likelihood of this happening is relatively low by percentages, it is still good to know what to look for and that these threats exists. Social engineering scams are more prevalent then ever and it would be a shame for it to happen to you. It is best to become familiar with the tactics and pitfalls that are commonly used in case you are ever confronted with this threat.