Many email scams are effective because they’re so straightforward, a new report says.
About 60 percent of business email fraud does not involve a malicious link, but rather a plain text message that can be surprisingly effective when wording and context seem authentic, according to a report released Thursday by Barracuda Networks.
“The attack is simply a plain text email intended to fool the recipient to commit a wire transfer or send sensitive information,” Barracuda said in its report. Phishing email, on the other hand, typically tries to get you to click on a malicious link.
The problem is, bogus text emails are difficult for email security systems to detect because they are often sent from legitimate email accounts and don’t contain suspicious links, Barracuda added.
Businesses as targets
Fraudulent emails are common in so-called Business Email Compromise or BEC, where attacks have resulted in billions of dollars lost to fraud over the last few years.
More than 78,000 BEC complaints have been made globally between October 2013 and May 2018, with over 41,000 victims in the United States, the FBI said in July.
Business email fraud, as defined by Barracuda in its report, works like this: Criminals first get access to a business email account, then imitate the owner’s identity, and then target employees, customers or partners who have access to company finances or payroll data and other personally identifiable information.
One of the most common attacks attempts to trick a recipient into doing a wire transfer to a bank account owned by the attacker, according to Barracuda, which compiled statistics for 3,000 randomly selected BEC attacks in its report.
The attacks sometimes (in about 12 percent of the cases) try to establish rapport with the target. For instance, the attacker will ask the recipient whether they are available for an urgent task and then, in the majority of cases, will ask for a wire transfer, Barracuda said.
These emails are disarmingly simple. One actual email – with the names changed to protect the victim – that Barracuda cited said this:
Are you around? I need to send a wire transfer ASAP to a vendor.
Another bogus email said:
Subject: Invoice due number 381202214
I tried to reach you by phone today but I couldn’t get through. Please get back to me with the status of the invoice below.
Don’t get duped
“Wire transfers should never go out without an in-person conversation or phone call,” said Barracuda.
And if a request is coming from a high-level executive like a CEO, the request should always be confirmed because, in many cases, it’s unusual to receive a personal email from senior executives.
Based on the report’s results, about 43 percent of the impersonated senders were the CEO or founder. C-suite positions like CEO or CFO can provide valuable context when attempting to dupe payroll staff, for example, into handing over sensitive information.