CYBERSECURITY – PHISHING AND BUSINESS EMAIL COMPROMISE

“Phishing” is the term used for a series of actions involving the use emails and/or websites to improperly obtain usernames, passwords and financial information through deceptive means. Phishing attacks use both social engineering and technical subterfuge to steal sensitive information, including, consumers’ personal identity data and financial account credentials, to gain unauthorized access to secure funds. Social engineering schemes use spoofed emails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers.

Phishing attacks can be broadly classified into the following categories:

1. Spear Phishing – It is essentially an electronic communications scam targeted towards a specific individual. In this form of Phishing, scammers conduct a complete profile research of the target, design communications in such a manner as to make the target to believe the communication to be from a trusted sender and prompts the victim to reveal confidential information to the scammers
2. Whaling – It is a type of phishing activity which targets a more specific class of individuals who typically hold senior management profiles in organizations. These targets are considered valuable since they have the authority to authorize large transactions while having access to sensitive information.

• Search Engine Phishing – These are fake websites created for targeting specific keywords searched for by users on search engines. Upon a user accessing these fake websites, they may be prompted to enter sensitive financial information or clicking malicious links leading to a compromise of their credentials.

1. SMiShing – Is a kind of Phishing where users are targeted through SMS alerts which would redirect the user to a fake link designed to gather valuable information.

Business Email Compromise (“BEC”)

Until a few years ago, e-mail scams were relatively easy to spot, and most targets could easily spot the real purpose of the email, being phishing. For example, the emails sent by a “Nigerian prince”, “miscellaneous lotteries” and other fraud attempts that arrived in personal and business e-mail inboxes, which were fairly obvious and consequently ignored. However, the scammers today have improvised their techniques by several notches by employing sophisticated methods of phishing, such that even a vigilant onlooker would be deceived with ease.

The following are some methods through which BEC have been executed:

1. False Invoice Scheme: Companies with foreign suppliers are often targeted with this tactic, wherein the scammers contact the domestic company acting as their international suppliers, and thereby manipulate the invoices/ payment details being sent to the company, to facilitate a transfer of the funds into an account of the scammers. Further, the scammers use language specific to the company they are targeting, generating invoices which are deceptively similar or precisely similar to original invoices issued by the foreign supplier. It is through these invoices that the scammers insert their payment credentials and receive payments in lieu of real or false invoices.
2. Chief Executive Fraud: Attackers pose as one of the company’s high-level executives and enter into electronic communication with the employees of the organization, who are more often than not, employed in the finance department. Through this established communication channel, the fraudulent persons convince the employee to transfer a significant amount of funds to their account.
3. Account Compromise: Similar to the false invoice scheme (explained above), the persons engaging in BEC hack into, or create an ID deceptively similar to that of an executive or employee’s email account, and request invoice payments to vendors listed in their email contacts. These payments are then redirected to an account of the fraudulent person.
4. Theft from Human Resources: Employees of the human resources department are the frequent targets of the scammers as they store/ or have access to personal or otherwise sensitive information about other employees and executives of the organization, which is generally maintained in their database. All such data is significant to the scammers and helps aid their operations.

In summary, BEC in its essence, is a tactic to compromise business email accounts typically to facilitate unauthorized fund transfers. It is an exploit in which an attacker impersonates the owner of a business email account, to defraud the company, its employees, customers, vendors, or partners. Often, an attacker will create an account with an email address almost identical to the one used by the targeted organization, relying on the existence of a pre-existing established relationship between the victim and the corresponding email account.

One of the main reasons for the success of BEC is that the scammers are not targeting unsuspecting individuals on a random level, but specific individuals via exhaustive research conducted on the individuals and their behavioral pattern. As such, the only way of saving yourself from being victim to a BEC attack, is vigilance.

About the Author

Prashant Kataria is a Partner at Algo Legal, a law firm headquartered in Bangalore with offices in Mumbai and Delhi. Algo Legal is a new age technology backed law firm focusing on Venture Capital firms and VC-funded start-ups and adept in advising on M&As, private equity transactions, joint ventures, amongst others. Prashant is an alumnus of the prestigious National Law School of India University, Bangalore.

He has over 16 years of legal transactional experience in two jurisdictions (India and Singapore) in the areas of venture capital, private equity, M&A and infrastructure privatization projects. Over the course of his career he has garnered experience advising several corporates on diverse corporate-commercial matters, including employment/labor law, IP, real estate matters, etc.