Big Money Is Being Stolen From Mid-Sized Businesses By Spoofing Internal Emails

October 28, 2015
No Comment

J. Paul Haynes of eSentire has described the state of evolving email phishing attacks against businesses in a very compelling overview titled “Landing The Big Catch: How Sophisticated Phishing Attempts Are Effectively Intercepting International Wire Transfers.” The way phishing attacks are done varies depending on what the adversary is after, and in this overview J dives deep into one of the most damaging varieties of this attack, the attack designed to transfer money out of a firm directly and irreversibly into the hands of the bad guys.

A case we should all review is that of the networking service provider Ubiquiti. They filed a report with the U.S. Securities and Exchange Commission (SEC) disclosing that they had been the victim of a phishing attack that resulted in a loss of $46.7 million. This attack wiped out all the firm’s earnings for the year.

As an IT professional and a cybersecurity practitioner I have to tell you there is a bit of irony to report that Ubiquiti prides themselves on being a next generation communications technology company, poised to help build big parts of humanity’s future. These are smart technologists who know security. But they are also human beings. And humans can be deceived by bad guys who want to steal money.

From J’s report:

At eSentire, our incident response team has investigated many variants of these types of phishing attacks. In most cases the victim organizations didn’t know anything had happened until they detected irregularities in their balances. Without continuous detection and intervention, it’s practically impossible to avoid these types of targeted attacks as they’ve fast become the attack of choice.

While phishing scams require more time and effort to execute, cybercriminals have found incredible success, regardless of an enterprise’s size, scope or industry. The most common kind of attacks that eSentire sees are of the “six figure” variety which provide a hefty reward for a reasonable output of effort. These kind of attacks are not only a nuisance to the victim but they’re also quite embarrassing. The attackers are highly effective and know the meaning of the term “pigs get fat, hogs get slaughtered”.

Targeted attacks take advantage of the single greatest weakness within the enterprise – the employee. You absolutely can’t “patch” every employee with cybersecurity training. Regardless of how cyber-savvy your employees become, cybercriminals prey on the fact that inevitably, an employee will click a malicious link or unintentionally engage in a phishing attack – executive level included. Hackers take advantage of basic human nature and the fact that today, employees are busy, distracted and easily duped through feigned familiarity, flattery or appeals to their vanity.

In the case of Ubiquiti, scammers were able to successfully spoof corporate emails, leading to a multi-phase fund transfers spanning international jurisdictions. In the last year alone, the volume of cases related to this attack style have been on the rise and highlight an emerging trend targeting businesses regularly working with international suppliers or foreign trade partners.

He goes on to underscore that preventing all types of attacks is impossible and any security professional that claims otherwise is either exaggerating or lying. We agree. But we also agree that steps can be taken to mitigate risks. These steps must go far beyond employee training, but that is a nice start.  We believe no organization today can defend themselves with their own internal technology and security team. We are all like Ubiquity. We might be smart on the technology including our own IT, but we have to have outside help by experts. That is where eSentire comes in.

eSentire provides people, process and technology to give organizations ways to reduce risk and enhance security. Their methods provide protection for over $2.5 trillion in assets today, and they do that globally 24/7/365.

For more on eSentire see