The following is a run down of the most common email-based scams of today.
Similar phishing attacks have been observed against other cloud-based email services such as Gmail and G Suite.
The following is a run down of the most common email-based scams of today. Grab your laptop, open your inbox, and imagine the following unread messages are waiting for you.
The email appears to come from Microsoft. It says that your Office 365 email address will be disconnected due to errors or policy violations. The only way to prevent this from happening is by verifying the address at the provided link.
This is an attempt to phish your Office 365 credentials. The emails and URLs used may even look like something you’d expect to find surrounding Office 365, for example: micros0ftsupport@hotmail.com. If you click the link, it will take you to an official-looking login page, requesting your email address and password.
However, the site is fake. Once the scammers have your credentials, they may try to log into other Microsoft related services, as well as harvest your contacts. One common technique is to log into your email account and send your contacts an informal email (e.g., Subject: FYI) that includes another phishing URL.
This style of attack is on the rise. According to data published by according to Agari in their Q2 2019 Email Fraud and Identity Deception Trends report, 27 percent of advanced email attacks are being launched from compromised email accounts. This is up seven percentage points from the last quarter of 2018, when 20 percent of phishing attacks came from compromised email.
It’s not just Office 365 that is being targeted either. Similar phishing attacks have been observed against other cloud-based email services such as Gmail and G Suite, Google’s cloud email offering. Given the prevalence of Google accounts, and how they are leveraged across the Internet to log into various websites, it’s no surprise that attackers have created phishing sites in this arena as well.
It’s the week of the big company summit and everyone is out of the office, save for a small number of folks maintaining critical functions. You’re a member of the finance team and part of the skeleton crew still on site. Suddenly, an email arrives in your inbox that appears to come from the CFO with the subject “Missed Payment.” The email explains that a payment that was supposed to go out last week was missed and could result in disruption to the company’s supply chain. Attached are wire transfer instructions. The sender ends by saying they will call you within the hour regarding this.
This is business email compromise (BEC) at its core. BEC scams are a form of email fraud where the attacker masquerades as a C-level or above executive and attempts to trick the recipient into performing their business function, for an illegitimate purpose, such as wiring them money. Sometimes they do indeed go as far as calling the individual and impersonating the executive. And it seems to work. According to the Internet Crime Complaint Center (IC3), there were U.S. $1.3 billion in losses in 2018 due to BEC scams.
You would think that attackers would leverage compromised accounts in BEC scams, like they do with Office 365 phishing scams. Surprisingly, according to the Agari Q2 2019 Email Fraud and Identity Deception Trends report, only about five percent of these scams do. Two thirds of such attacks still use free webmail accounts to launch the attacks, while the remaining 28 percent craft tailored attacks using registered domains. The latter level of personalization extends into the body of the email, where according to Agari, one out of every five BEC emails includes the name of the targeted recipient.
An email arrives in your inbox with the subject “YOU SHOULD TAKE THIS VERY SERIOUSLY.” The sender of the email claims to have compromised an adult video web site and that you visited the site. He or she also claims to have recorded you over your webcam, alongside the videos they assert you have watched. Besides that, the sender claims to have gained access to your contacts and will send them all the footage, unless you pay them hundreds, if not thousands, of dollars in Bitcoins.
This is digital extortion. The only thing that separates this from more traditional extortion scenarios is that the claims are completely fabricated. The scammers haven’t compromised a web site, they haven’t recorded you, and they don’t have your contact list. They’re simply hoping to trick you into believing that they do.
It’s an interesting trick and it’s lucrative for the attackers, where profits gathered from a digital extortion campaign reached into the six figure range near the end of 2018. However, according to the latest analysis conducted by Cisco Talos, covering January through March 2019, profits have declined. Still, the rise and fall of these profits loosely track with the value of Bitcoin, albeit with larger declines. As the value of Bitcoin appears on the rise at present, it will be interesting to see if the same thing happens with digital extortion payouts.
“I don’t remember buying a subscription to this mobile app,” you say to yourself. That’s at least what the email implies: a lifetime subscription to, say, a movie club. Hold on, the location listed in the invoice says it was purchased in Sri Lanka. And you don’t even live in Sri Lanka. “There must be some mistake,” you say to yourself as you quickly open the attached PDF to investigate.
Unfortunately, that PDF contained an exploit, which ultimately downloaded Emotet onto your device. The scam varies but usually centers around a package you didn’t order, an invoice for something you didn’t purchase, or a monthly payment for a subscription or service you didn’t enroll in. This can lead to any number of malicious results, from stolen banking credentials to cryptomining.
It’s not every day you receive an email from the FBI. It’s even less common to receive one informing you of a pending transfer of $10.5 million! All you need to do is reply to the email, and they will instruct you on what you need to do to receive the payment.
This is a classic advance fee fraud scam. As the name implies, the scammers will ask for a fee before they’ll send you the promised money—money that never appears. It’s also one of the older email scams, having taken different forms over the years, from a foreign prince wishing to share his wealth to loan approvals for people with bad credit. Still, the scams persist, with thousands of such email scams reported to the U.S. Better Business Bureau (BBB) each year.
We cover the many forms of this type of email scam in our Threat of the Month blog post, Your money or your life: Digital extortion scams.
