In an indication of the fact that cyber criminals consider people more vulnerable to hacking tactics than technology, new research has revealed that the volume of phishing emails, emails spoofing C-Suite executives and vendors, and imposter emails targeting financial services organisations have increased by over 60% compared to last year.
Last year, we learned about the arrival of a Nigeria-based cyber crime group called London Blue that focussed on carrying out Business Email Compromise (BEC) attacks on companies located in the United States, Spain, the United Kingdom, Finland, the Netherlands, Mexico and 76 other countries and recently extended its base of operations into Western Europe.
Security firm Agari noted that London Blue had prepared a list of more than 50,000 corporate executives who it aimed to target with spear-phishing attacks. While around 35,000 of such executives were company CFOs, 2% were executive assistants, and the remainder were other finance leaders.
Financial services are still prime targets for fraudsters
Worryingly, London Blue is not the only cyber crime group that leverages phishing and spoofing tactics to lure unsuspecting employees at financial services organisations to wire money, share sensitive information, or provide access to corporate systems. However, what’s even more worrying is that the volume of phishing and spoofing emails are still rising with every passing day.
According to a new report from Proofpoint, cyber criminals and fraudsters have, so far, spoofed legitimate domains of over 97% of financial services organisations to target the latters’ customers and business partners. In Q4 2018 alone, 69% of financial services firms were themselves targeted by at least one malicious email that spoofed their domains.
In that one quarter alone, the number of phishing emails, spoofing emails, and BEC attacks targeting financial services organisations were 69% more than the number of such attacks carried out by cyber criminals in the final quarter of 2017. Such targeted attacks included, among others, a variety of domain spoofing, display name spoofing, and the use of lookalike domains.
Because of the regularity with which cyber criminals are spoofing legitimate domains by creating lookalike domains, 39% of emails sent from financial services domains in Q4 2018 were flagged as unverified, 68% of emails sent to employees from company domains were flagged as unverified, and email filters were also unable to verify 36% of emails sent to customers from financial services-owned domains and 19% of emails sent to business partners.
“Most impostor email attacks targeting financial services companies are sent on weekdays between 7 a.m. and 1 p.m. in their target’s local time zone. This stands to reason as impostor attacks are socially engineered to be believable. A business partner, for example, is less likely to make a payment request after work hours or during a weekend,” researchers at Proofpoint warned.
How can financial services respond to email fraud?
Earlier this year, David Mount, Director – Sales Engineering, Europe, Cofense, wrote in a blog post for TEISS that the continually evolving phishing threat landscape and the volume of unsolicited spam email makes analysis of user-reported phishing emails hard as already stretched SOC teams are finding it difficult to maintain an up-to-date depth of knowledge to enable effective threat analysis.
“Simply sending a file to a sandbox or checking online threat-analysis tools and databases is not good enough. SOC teams and threat analysts must be able to consume reports of suspicious emails from users and turn them into actionable intelligence quickly.
“This means they must be able to prioritise what is being reported to cut through the noise of false positives, such as legitimate marketing or internal emails, and automatically be given guidance of risk based on the attributes of the email content and any attachments, the status of the user reporting the email (are they high-risk employees with access to sensitive information or processes), the reputation of the user (have they demonstrated an ability to identify and report suspicious emails in the past, essential to help prioritise zero-day threats), and information from any threat-analysis integrations such as VirusTotal or sandboxes.
“Once a threat is analysed and understood, SOC teams need to be able to quickly hunt for the threat within all user mailboxes and quarantine it when found. In addition, they must be able to communicate IOCs to other teams, such as those responsible for proxies, mail gateways and endpoint security tools, to take further defensive or mitigating actions, and they must close the loop by providing timely feedback to users to encourage further reporting behaviour, thus supporting awareness activities,” he added.