What would happen if a total stranger with a poor command of English asked the payroll manager of an American corporation to send him the Internal Revenue Service Form W-2’s for the company’s entire staff?
Answer: Some payroll managers would obligingly send the stranger a PDF of all the forms, containing the names, Social Security numbers, addresses, and other personal data on every employee. When this happens—and it does happen—that disgorges a treasure trove of information that the stranger, an e-mail scammer, can use to steal the identities of the victims, set up false credit card accounts in their names, and leave them to prove that the debt isn’t theirs.
Criminals use an e-mail scam called “business e-mail compromise” to get hold of this data; or often, to extract money from their quarries, by pretending to be the target company’s CEO or a trusted business partner. Such ploys don’t work every time, but they succeed often enough to cause billions of dollars in losses to companies and their workers, says John Wilson, who fills the role of Field CTO for San Mateo, CA-based cybersecurity company Agari.
Wilson (pictured) is a liaison for businesses interested in Agari’s e-mail protection system, and he also pitches in on investigations of e-mail hacks. Among his tactics is a form of “hacking back,” by intercepting scammers’ messages and pretending to be a promising victim so he can find out more about them.
For Wilson, there’s no moral or ethical dilemma in fooling the cybercriminals. “After all, they are victimizing American businesses,” he says. But Wilson says he limits his tactics to comply with state and federal laws. That prevents him from doing something like inserting malware, such as a keylogger, into the scammers’ computers, or secretly recording his phone conversations with them in a state such as California that requires the consent of both parties to a call, he says.
Many e-mail attacks come from sophisticated underworld networks using advanced techniques. But Wilson, who did his detective work on attempted attacks against Agari’s clients, found apparently low-skilled cybercriminals who used very simple deceptive tactics, and who were able to find enough information to target a company after less than a half-hour of research on social media sites. A few of these attackers came from South Africa and Romania, but most were based in Nigeria.
“The old Nigerian prince has come back in a new form,” Wilson told Xconomy in an interview. He’s referring to the scammers who famously e-mailed hordes of individuals, claiming to be African royalty, and promising they would share a fortune if the victim would only advance some money to help free the treasure from various fictional entanglements. Now, such fraudsters are focusing on businesses, and they tailor their approaches for specific victims, Wilson says.
But they’re still using perhaps their greatest tool: a canny sense of the psychological vulnerabilities of their prey. Among the victims, Wilson found a complex mixture of gullibility, trust in company authorities, complacent faith in the technological environment of business, loneliness, greed, and even unrequited love.
But what Wilson would also uncover, by turning some of the fraudsters’ own tactics against them, is that they display some of the same traits and weaknesses as their dupes.
Business e-mail attacks boom
The FBI, noting a huge surge in e-mail attacks, says companies across the globe have reported more than $3.1 billion in actual or potential losses due to business e-mail compromise attacks since October 2013.
As we know from the successful e-mail hack last year of Hillary Clinton’s presidential campaign chairman John Podesta’s Gmail account, even a wary victim with IT support can mistakenly let intruders in. That attack was allegedly carried out by expert Russian cyberattackers, but someone in Podesta’s organization made a simple, unforced error due to a miscommunication with IT staffers, according to an analysis of the hack. They changed Podesta’s password by using a link sent in a hacker’s e-mail.
The apparent goals in that hack were world-shaking—to influence the U.S. presidential election. But e-mail scammers are also targeting small companies for a potential yield of as little as a few thousand dollars, Peter Bauer, CEO and co-founder of U.K.-based Mimecast told Xconomy in November. Like Agari, Mimecast (NASDAQ: MIME) devotes itself to e-mail security.
It could be that small-potatoes hackers like those Wilson identified are finding easy prey among small companies as well as large ones.
Criminals prepare for a “business e-mail compromise” attack with a quick tour around social media sites such as LinkedIn and Facebook, where they find the names of a company’s CEO, the finance team, payroll managers, and other possible targets, Wilson says. The scammers also figure out the e-mail address pattern of the business, such as: [email protected].
Then they create a spoofed e-mail address very similar to the real one—perhaps by altering a letter or two in the company name. For example, they might take out a “d” and sub in a two-letter combination that looks like the “d” at a quick glance: “c” and “l.” The attackers are counting on the fact that e-mail recipients routinely focus on the name of the sender, without scrutinizing the rest of the address, Wilson says.
Now the scammer is ready to send a fake message from the company “CEO” to company finance team members—late in the day—with an urgent order to send money through a wire transfer, say. Wilson says they typically ask for an amount between $20,000 and $150,000. Of course, the fraudsters direct the employee to send the money to an account they control. And some of the e-mail recipients fall for it.
Here’s where the con artist needs a second victim, or an accomplice: a person who will maintain a bank account to receive the money, and will quickly transfer the funds to another account. Some of these people are knowing participants in the money laundering scheme, and they take a small cut. Scammers can recruit these accomplices by calling the activity a “work from home” job, Wilson says.
But the crueler way of lining up such assistants is the “romance scam,” Wilson says. The criminal cruises online dating sites to prey on lonely people, cultivate relationships with them, and persuade them that their new “boyfriend” wants to build a nest egg with them so they can be together. The unwitting victim—or willing accomplice—sets up what banks call a “mule account,” which is often re-used for multiple scams.
Hacking back
As a sort of side project along with his regular job, Wilson decided to play along with the scammers and see what he could discover. Agari flags e-mails with spoofed addresses that are sent to its clients. Wilson picked some of these, and sent replies with a general message like, “I’m in the office…what do you need?”
The scammers were as unsuspicious of Wilson as their victims often are of them, he says. They sent him their wire transfer orders and their account numbers. He would then tip off the bank in question, which would put a lock on the account.
“If any money comes in, it can’t go back out,” Wilson says. “It really kind of puts a damper on the criminal. They spend a lot of time cultivating these mules.”
Wilson was also able to fool a criminal into sending him a location, by claiming
