Email Scams And Social Engineering: The Puppet And The Master

Venturing into your inbox on a Monday morning can feel like the most mundane of tasks. It’s easy to read, respond to, and discard new emails when you have hundreds of them to sort through. But in the process, you may be letting malicious entities slip through the cracks—and the chain reaction that can result has disastrous potential.

Early last year, international law enforcement banded together to make 281 arrests in a worldwide, four-month investigation known as Operation reWired, designed to shut down a series of business email compromise (BEC) scams with losses totaling over $24 million. The arrests spanned multiple countries and continents and were linked to countless assets, extensive tax fraud, and identity theft.

Yet at the heart of this enormous operation was BEC: a scam that most commonly involves manipulating the employees of an organization via social engineering to transfer money into fraudulent accounts. The fraudsters then gain access to the organization’s email and intervene in paid invoices, rerouting the money to their accounts. 

The scheme utilizes social engineering to take advantage of inattention to detail in emails—an extremely troublesome combination for employees flooded with contacts and invoices day-to-day. Cybercriminals understand that most people won’t give their emails a second thought, and will inadvertently play right into their hands.

Understanding the Scheme

One of the BEC scams investigated by Operation reWired was out of northern Illinois, where a large community college was defrauded out of $3.3 million.

In 2016, the college had a payment due to a Minneapolis construction company. They received an email that claimed to be from an accounting manager at the company, who requested the college update its Automated Clearing House details for the payment.

The college did, and sent the $3.3 million to the new account. The money was then split into checks smaller than $10,000 and sent off to other companies. Suspicious of the payment’s splitting, Bank of America froze the account, and the college ended up receiving most of its money back.

In another investigated scam, a Houston-based energy company was drawn in with the same ACH switch. When they gained access, however, the fraudsters took it one step further and compromised an employee account at one of the company’s suppliers, changing their settings to forward new emails to the fraudsters.

The company ended up sending over $1.7 million to the fraudulent account, most of which was recovered later on. According to prosecutors in the ensuing case, the company had believed the emails from the “supplier” to be legitimate; yet another example of a BEC leveraging inter-company trust.

Access Denied

When it comes to unauthorized access to your most important accounts, you may not read between the lines until it’s too late.

BAI Security makes risk detection and prevention our number one priority in order to keep your information safe. Our Social Engineering Evaluation aims to minimize the threat of BECs and other targeted scams with a simulation that includes multiple Enhancement Options:

  • In-Person or Over the Phone Security Audits
  • End Point Compromise
  • USB Flash Drive Drop
  • Black Box Placement
  • Multiple Scenarios

Keep an eye out for the details that count, and contact us today.

Posted in BAI Security Blog, Security Risks, Social Engineering and tagged , , , .