News
“This was embarrassing.” Hackers lured an experienced employee into a vicious trap
September 2022 by Cybernews research team
“I felt the hair stand up on the back of my neck,” a longtime warehouse employee told Cybernews. Falling for a fake email, he put all of the company in jeopardy and decided to share his story to prevent others from walking into the same trap.
Last year, victims lost $2.4 billion to business email compromise (BEC) attacks in the US alone. Sophisticated scams fool even the most experienced employees who are well aware of how to spot phishing.
It’s not only embarrassment that fooled employees have to survive – a simple benign-looking email can put the entire company at risk.
It recently happened to a warehouse company in the US. An employee with 28 years of experience was tricked into believing that his client had initiated a wire transfer. Only after the bank got suspicious of the transaction he understood this was a trap. The employee, who wished to remain anonymous, agreed to share his story with Cybernews.
First clue
"I sometimes take my tenure and strong arm if needed to say, "hey, let’s expedite this, get this done so I can close this project." the employee, vice president of business development at the company, said.
He forwarded the email asking the company’s Chief Finance Officer (CFO) to close the deal with a vendor by completing the transaction. The CFO did as told and nothing seemed out of the ordinary until the bank called about the transaction.
It turns out that the receiver of the funds was trying to convert them into cryptocurrency, so the bank flagged the transaction and decided to make an inquiry. Apparently, it was a threat actor simply trying to move the funds. But how did the company get here? Let’s rewind a bit.
Convincing email
"We were in the process of purchasing a facility in Southern Indiana. I had contracted a group to remove materials from this building," the employee said.
The job was almost done, so the company agreed with the vendor’s representative to hand-deliver the check for service payment.
The employee constantly communicated with the mentioned representative over email and phone calls.
"This gentleman went away for holidays, and the dialog switched very quickly to "hey, would you mind just wiring these funds to me?" the employee said.
This didn’t seem out of line because he knew the person was traveling, and the request to wire the money came from a long thread showing their communication history. The tone of the email was impatient, but so was the person in question, so nothing raised suspicion at a time.
"The attacker that compromised the vendor’s account, they mimicked the tone, the voice and even impatience of a person, nothing seemed out of the ordinary, because this guy was regularly like that," he said.
A few days later, the CFO notified the employee the bank had stopped the wire as it appeared to be fraudulent activity.
"I panicked. What the heck did I do wrong?" he said. "I called the guy up and said, "Hey, what’s going on?" And he said, "are you gonna hand-deliver that check?" I said, oh no, what are you talking about? You’ve sent me an email note that you wanted this to be done with a wire transfer."
The conversation continued for a while, and the employee said he felt yanked around.
"I felt the hair stand up on the back of my neck.[...]I put a lot of folks at risk in our organization because I streamlined a process. I had to explain to senior leadership at our organization what had happened, which was rather embarrassing," he said.
The company did not disclose the amount of money. Still, the employee said, it was a significant sum of money, especially for an organization that works hard to be profitable and share it with the employees.
"I still feel the stress," the employee said about the attack that happened a couple of months ago. He felt financially responsible, and only now, knowing that the company got all the funds back, he can find some relief.
The employee has undergone phishing training, yet it didn’t prevent the attack. Why?
What happened?
The employee’s account was never compromised. The email that led to the trap came from a legitimate mailbox and arrived in a thread. It turned out that the vendor’s email was compromised, and attackers could send letters on the vendor’s behalf without it even noticing.
"Attackers write automated rules, so if somebody replies, that email is automatically removed and marked as unread, all of this to make sure that you don’t notice that anyone is in your inbox," Joshua Crumbaugh, CEO and Founder of Phishfirewall, told Cybernews.
We can only guess how the vendor’s inbox got compromised in this case, but scammers have been targeting C-Suite for ages. Sometimes, criminals impersonate legitimate services, such as DocuSign, fool executives into signing a document, and redirect them to a phishing site, simulating, for example, a redirect to the M365 single sign-on login page.
That way, fraudsters get their hands on credentials without raising any suspicion and use them to snoop around and intercept communications. Criminals also exploit public breach data to compromise accounts.
"They will use that account to begin phishing other employees within the organization," Crumbaugh. Most of this is automated – criminals use tools to go through the mail threads, gather the necessary context, and hide the bogus messages immediately after sending them to the victims.
"The scale of sophistication is already off the charts. In one case, cybercriminals used the breach data that had divorce records. They took those divorce records and said, you are the account recovery contact for this person, ex-husband or ex-wife, and click here to recover the account. It was brilliant because how many people wouldn’t fall for that and click because they want to see what’s behind or what their ex is up to," Crumbaugh said.
You can’t patch stupid, or can you?
Most of us train on how to spot bogus emails, hover above links, report any suspicious activity to your security team, and many more. However, you can’t get suspicious every time you get an email from seemingly a person you’ve been in touch with a lot.
Have the company’s employees done enough to make sure they were wiring the money to the proper entity?
"We looked at it and said, if finance had done XYZ, this never would have gotten this far in the first place. And now there’s a system of checks and balances, and the responsibility falls on finance. It’s finance that has all these additional processes in place to make sure that doesn’t happen," Crumbaugh said.
In this case, the attack was caught, and the losses were minimized. However, Crumbaugh believes the security community is doing enough to train users. Everyone talks about the human element and the weakest link in cybersecurity, saying, "you can’t patch stupid."
"This is one of my pet peeves because it’s accepting failure before you even try. And more importantly, it’s blaming the user for their lack of education. [...] We have zero standards defined when you talk about humans and security awareness. We’ve not come up together as a community and said this is what needs to happen. Instead, you’ve got the blind leading the blind. The problem may be that you can’t patch stupid, but that stupidity is in the information security team, not within the whole organization," he said.
Training, according to him, needs to be continuous. It’s better to have short, for example, one-minute entertaining sessions each week rather than the whole lecture about cybersecurity, covering 15 different topics once a year.
"Making it more entertaining is our obligation because it helps to get users more engaged. Users see cybersecurity as far too complex for the average user to understand. When we overcomplicate the training [...] we prove to that average user that they are right," Crumbaugh said.
