Plenty More Phish in the Sea….

Yaffa Finkelstein, Product Marketing Manager, CloudGuard SaaS, published February 19, 2020

Hands up if you’ve ever received one of these emails?

“Dear Sirs,

A person with the same family name as you, died last week in deepest Peru. You are The Only Relative that we can find and so we’d like your date of birth, bank account details, mother’s maiden name, ID and pin code, so that we can send you the $20,000,000 that you have inherited.

Many thanks”

A few years ago I exchanged a handful of emails with an unsophisticated phisherman who tried his luck at getting some of my bank details while I was – unbeknownst to him – out, bored, on maternity leave. After a lengthy email exchange inspired by The Wasters Letters which culminated in my sending him a photo of my fingerprint (well he did ask for my ID), he gave up on me and no doubt moved on to another unsuspecting target.

The encounter got me thinking about why anyone would spend time manually executing on phishing schemes which probably have a 0% conversion rate.

But perhaps we’re looking at these schemes with the wrong perspective. What if by lulling us into a false sense of security that phishing schemes will always be crude and overt, we’re more likely to make mistakes when we’re faced with sophisticated schemes and we subsequently become easier to dupe.

In fact, phishing is just one dimension of the extremely dangerous art of Business Email Compromise (BEC). BEC costs the global economy upwards of $26B, according to the FBI. Using a combination of phishing, sophisticated malware and domain spoofing, criminals can seamlessly skim huge sums of money from businesses, and remain undetected until it’s too late.

Social engineering schemes are increasing in their effectiveness as well disguised criminals grow bolder in their attempts to steal funds from businesses. Built in email security provides a layer over coverage which is rendered useless when the criminals are sophisticated enough to bypass the machine learning elements.

A smart Check Point customer – let’s call them Acme Logistics – turns over tens of millions of dollars a year and uses both built in Office 365 security, as well as dedicated cloud email security provider.

Acme Logistics has a longstanding relationship with a vendor “Acme Vehicles”, to whom they were due to pay $700,000 for new equipment. Acme Logistic’s CFO received an email just a few days before the payment run, with a request from an account manager at Acme Vehicles, quoting their PO and invoice number, requesting that the funds were paid into a new bank account. This email bypassed their third party cloud email security (which, incidentally, renders the Microsoft security layer obsolete by whitelisting those emails which are deemed safe).

During the email exchange, by chance, the Acme Logistics IT manager implemented a CloudGuard SaaS trial where one of our threat prevention engines flagged this innocuous looking threat as a zero day attack. Upon further inspection, the team noticed that rather than corresponding with the team at acmevehicles.com, they were corresponding with a fictitious team at acmevehicels.com (note the misspelled “vehicles”).

Consider that an unsuspecting member of the management, relying upon their layered AI security, came within inches of transferring $700,000 to the wrong bank account.

This example is just one of the many cases of spear phishing that our teams encounter with customers on a regular basis. This attack could well have started with an account takeover (ATO) where the perpetrators eavesdropped on email correspondence before registering the lookalike spoof domain and then executing the spear-phishing attack. When orchestrated at this scale, with this amount of premeditation and precision, this kind of spear-phishing attack against a high-profile figure within the organization is called a whaling attack. If the scheme is successful it would be a huge catch for the fraudsters.

This particular story, of a customer who already had security measures in place, was a humbling reminder that not all phishing schemes are aimed at the un-savvy email user. In fact, those crude attempts inadvertently bolster part of a larger social engineering scheme which is to keep us confident and unsuspecting as we navigate our increasingly connected world. It’s also a wakeup call that demonstrates how an ATO can be the key for criminals to unlock the power of spear-phishing schemes.

As we explore the most effective methods for keeping our inboxes safe from phishing schemes and ATO, it’s important to keep in mind that a layered approach to email security is key. But if one layer renders the next layer totally ineffective…. then it’s probably time to address your security methodology and architecture.

Wondering why we’re still talking about email security in 2020? Check out our last email security blog post. Stay tuned for our next installment when we’ll look at the different kinds of email security available, and weigh up the pros and cons of each.