Data breaches happen, but phishing scams are leaving 64 percent of financial institutions and banks exposed online every day to criminals through insecure e-mail channels, according to a new report.
Agari, a California-based cybersecurity firm fighting to keep business e-mails protected, reported that over the past 10 months it has found and analyzed 78 criminal e-mail accounts from 10 organized crime groups that included 59,652 unique e-mail messages. Nine out of the 10 organized crime groups were based in Nigeria, and the rest were from Kenya.
“About 10 years ago, the most common type of fraudulent e-mail was a phishing e-mail, in which an intended victim received an e-mail appearing to come from his or her bank, asking him or her to click on a link to log in,” the report said. “Historically, another common type of fraudulent e-mail was the consumer-facing ‘Nigerian prince’ e-mail. Recently, these e-mail attacks have switched to target enterprises, and most of the time, the attacker attempts to impersonate a colleague or a vendor asking for a transfer of funds.”
Governments, financial institutions and midsize to large companies have all felt the impact of these scams, which cost these businesses over $4.5 billion last year, Agari reported. An average business e-mail scam collected $35,500 from a business or individual, it added.
According to statistics from the FBI’s Internet Crime Complaint Center, such attacks have a profit ranging from $982 to $5,236 per answered e-mail, making them at least 700 percent more lucrative than a romance scam, the Agari report found.
Agari said that 3.97 percent of 100 people that answer a compromised business e-mail become victims.
The Silicon Valley team noted that the majority of organized crime groups were primarily using romance scams until about 2016, when they began focusing more on attacking businesses. The crime groups would run a romance scam through e-mail services for about 25 days, but they found they got a quicker response and more money from business e-mail attacks, which generally last less than three days, the report said.
Organized crime groups use legitimate infrastructure and online tools to avoid being detected to continue their scams, such as sending e-mails that coincide with American business hours, from 7 a.m. to 4 p.m. Eastern time.
Gmail is commonly used to set up accounts, Grammerly is used to correct spelling and grammar before sending the e-mails, and RocketReach and GuideStar are consulted to find business listings, Agari’s research noted.
Leaders and security experts from Cisco’s IronPort Solutions created the Agari platform for security experts in businesses, government agencies and customers to reduce the risk of such scams. Through the platform, a trusted e-mail channel protects secure interactions, data and ultimately the business and their brand.