Yesterday, Shark Tank’s Barbara Corcoran made headlines when she revealed that she had lost nearly $400,000 after her bookkeeper fell victim to a phishing scam. She’s certainly not alone. According to the FBI’s 2019 Internet Crime Report, the Internet Crime Complaint Center (IC3) received a total of 467,361 complaints in 2019, with reported losses exceeding $3.5 billion.
The tactics the cybercriminal used to trick Corcoran’s bookkeeper are ones we see regularly in attacks caught by our systems here at Barracuda.
How the phishing scam happened
Corcoran explained to People that her bookkeeper received a fake invoice that supposedly came from Corcoran’s assistant. The invoice was for $388,700.11 from a company called FFH Concept GmbH in Germany for real estate renovations, which was not an unusual invoice based on the Shark Tank star’s real estate investments. The bookkeeper communicated with the person she thought was Corcoran’s assistant through a series of emails and eventually sent a wire transfer for the requested amount.
The mistake was discovered when the bookkeeper followed up with Corcoran’s assistant using her true email address. The attacker had misspelled the assistant’s email address by one letter, an error that was easy to miss. But by then, it was too late. The attacker had disappeared, and Corcoran says she will not be able to recover any of the funds. According to TMZ, Corcoran’s IT team were able to trace the scam emails back to a Chinese IP address.See how one easy-to-miss typo in an email address led to almost $400,000 in losses #EmailSec #ConversationHijacking #DomainImpersonationClick To Tweet
Domain impersonation and conversation hijacking
Only 7 percent of the spear phishing attacks we see are business email compromise (BEC). This particular attack used not only techniques usual for BEC — such as impersonating a senior executive or their assistant and requesting a wire transfer — but also the harder to detect techniques of domain impersonation and conversation hijacking.
In conversation hijacking, cybercriminals insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered from compromised email accounts or other sources. Then, attackers use email-domain impersonation, sending convincing messages from impersonated email addresses to trick victims into wiring money or updating payment information.
As we reported last month, our researchers have seen 400-percent increase in domain-impersonation attacks used for conversation hijacking. In July 2019, there were about 500 of this type of domain-impersonation attack in the emails analyzed, and that number grew to more than 2,000 in November.
Although we don’t know for certain if either an email account was compromised in this instance, the phishing attack against Corcoran’s bookkeeper fits the pattern for conversation hijacking. The attacker had clearly done research on what would make the attack convincing and was able to carry on a series of emails without sending up red flags.Barracuda researchers have seen 400% increase in #DomainImpersonation attacks used for #ConversationHijackingClick To Tweet
For example, the hacker knew Corcoran has real estate investments, understood her business in Germany, and researched who is the right person to phish and impersonate within the organization. The attacker was so well informed that they were able to have a back-and-forth conversation with their victim. The scammer even went to trouble of registering impersonating domain. All this preparation requires an expense, but with such a big payout it was worth it for the attacker in the end.
That’s one reason real estate scams are becoming increasingly popular with cybercriminals. They involve large sums of money, and wire transfers aren’t unusual. According to an IC3 report, between 2015 and 2017, the number of BEC victims reporting a real estate transaction angle increased 1,100 percent.
How to avoid falling victim to a similar attack
There are a few steps you can take to avoid having your organization fall for a phishing scam like this, a mistake that could be very costly.
- Educate employees — Teach your employees how to recognize email attacks such as phishing, business email compromise, and conversation hijacking, as well has how to report suspicious messages. Use phishing simulation to train users to identify cyberattacks, test the effectiveness of your training, and evaluate the users most vulnerable to attacks
- Add account-takeover protection — Make sure you have technology in place that can detect and block business email compromise and other impersonation attacks.
- Watch for unusual logins or IP addresses — Use an email security solution to identify suspicious activity, including logins from unusual locations and IP addresses, a potential sign of a compromised account.
- Establish policies to confirm transactions — Help employees avoid falling for this type of attack by putting procedures in place to confirm email requests for wire transfers.
Olesia Klevchuk is Principal Product Marketing Manager for email security at Barracuda Networks. In her role, she focuses on defining how organizations can protect themselves against advanced email threats, spear phishing and account takeover. Prior to Barracuda, Olesia worked in email security, brand protection, and IT research.