Billions of dollars have been lost due to business email compromise (BEC) and business email spoofing (BES). Much of this loss can be directly attributed to spearphishing attacks, which involve targeted emails crafted to impersonate a trusted party and trick the victim into performing a specific action. Spearphishing is easy to perform and hard to defend against, so it remains virtually unchallenged by commercial security solutions. As a result, it is the preferred method for fraudsters worldwide.
Security solutions primarily prevent or detect network or computer intrusions. They focus on countering malware threats, mass phishing, and the spam networks that deliver them. These threats are ubiquitous and can be measurably diminished through signature-based or behavioral-based automated defensive tools. Targeted social engineering is far less frequent and is difficult for an automated system to detect. A well-trained and skeptical human can be an effective countermeasure, which is why the current “best practices” defense against spearphishing is continual user awareness training. This type of training can efficiently combat most of the obvious cases of fraud, such as Nigerian “419” scams where a stranger writing in broken English promises easy riches. These examples, while comical, may lead to the false notion that all phishing scams are easy to spot and pose little risk.
Most organizations are unaware of the evolving tradecraft of advance-fee fraud (also known as 419), BES (CEO fraud), and BEC (wire-wire). SecureWorks® Counter Threat Unit™ (CTU) researchers have observed multiple campaigns where fraudsters tailored convincing and credible narratives. Whether the goal is to convince a victim to divulge their email password or send a wire transfer to a CEO impersonator, the criminals have fine-tuned their pitches and are becoming difficult for the average victim to detect. Even worse, the fraudsters are teaching each other these improved methods, creating a problem that is growing exponentially over time.