Why are business email compromise attacks so effective?

Because people are Helpful.

Because people are Trusting

Because people are Obedient.

Phishing and Business Email Compromise attacks are acts of social engineering. They are attacks on humans and they prey upon human emotions. The most effective phishing emails exploit the target's emotions of Obedience, Fear, Kindness, or Curiosity. The most effective BEC emails target the employee's sense of obedience.

Employees want to be good workers. They want to excel at their jobs and win the praise of their supervisors. Imagine you are an accounts payable clerk or junior accountant and the CEO walks into your office and says Jump. Are you going to question how high or why?

One of the biggest fears most employees have is failing at their jobs, or at least look like their failing. No one wants to question the boss and risk appearing incompetent or untrusting. Even when employees think the email directing the high dollar wire transfer is suspicious many times the urge to carry out the task with diligence and obedience overcomes the suspicion.

This week, the Milford Daily News detailed a Business Email Compromise attack executed on the city of Franklin, Tennessee. The cities treasurer transacted a wire transfer that resulted in a $522,000 loss to the municipality, The city manager described it as a “sophisticated cyber fraud”. It was not. It was just a standard spear-phishing attack taking advantage of an organization with untrained employees and insufficient security controls.

Today is Black Friday, traditionally named because it was the day where retail sales altered merchant’s balance books from red to black. The Internet and the current Covid-19 crisis have effectively made this annual shopping festival nothing but symbolic. The true event will occur in three days with Cyber Monday. Most retailers, however, have already altered their business models and black Friday has become Cyber Black Friday blurring the lines between the two events.

I have previously written about RDDOS or Dedicated Denial of Service for Ransom. This is a double punch attack on Internet services that combines a traditional DDOS offensive with demand for payment to make it stop. What better time to launch such an attack than the days preceding the largest Internet sales event of the year?

There is a noticeable trend of people declaring themselves a “Cybersecurity Evangelist” A search of the term on LinkedIn finds over 38,000 people who claim security evangelism as part of their job title or description. However, a search of leading job boards finds only a scant listing of advertised positions. In fact, a search for “Cybersecurity Evangelist” jobs on LinkedIn reveals zero exact titles. The same search on Indeed returns only 84 available positions, and most are a hit for the Evangelist part rather than the Cybersecurity. Remarkably, upwards of 38,000 people somehow have obtained a title that does not seem to be a hirable position. What exactly is this role and what do those currently employed as it do? Even more importantly, what are the qualifications to be a Cybersecurity Evangelist? I set out to learn the answers to those questions since I might actually be an evangelist and just don't know it.

I regularly speak to groups about cybercrime, or “Internet facilitated crime” for your industry elites that abhor the term cyber. I provide an example scenario where attackers utilize a dedicated denial of service (DDOS) attack to target small businesses. I classify it as a crime of extortion and explain how modern cyber-criminals use new technology to commit age-old crimes.

The scenario places a small independent florist at the mercy of a cyber attacker the week before St. Valentine's day. The floral shop's website is suddenly unreachable right at the most crucial time of the busiest week for a florist. A call to the website designer yields no results. Calls to website hosting provider add only more frustration from department transfers, language barriers, and offers for higher valued services that add more costs and “may” alleviate the problem.

After the site has been down for about 24 hours the first email arrives. An offer for help. From the devil himself, of course. The email tersely explains the website is under attack and it can stop for a one-time payment of 5 BTC. What is a BTC the panic shopkeeper thinks, and how the hell do I get some? The small business has little choice but to pay the ransom or lose even more by having the website offline during the busiest week of the year!

And Rat's... In policing we have a simple saying to explain the monotony of continuously mitigating the poor choices of society, “same stupid thing, different stupid people”. Much Like your favorite gif video from the subreddit r/holdmybeer, rope-swings and mini-bikes never end well. Criminals keep using the same tricks to victimize different people, and different people keep making poor choices to become victims. It’s a never-ending loop. The faces change, the poor choices don’t.

In the most recent illustration of this concept, a cybercrime group dusted off a 15-year-old attack tool to victimize a new crop of fresh-faced college and university students. Most of these students were still learning to read the first time this tool was released to victimize – fresh-faced and naive college students.