The research shows that most people at home and most employees in the office are getting better at spotting fake phishing emails.
As a result, hackers are upping their game.
They are increasingly taking time to study us, looking for points of connection and then acting like someone we know.
This is called social engineering and when it happens at a company, it is known as Business Email Compromise (BEC) because the attack occurs through a business email account.
And it is working for cybercriminals.
The SecureWorld team just finished reading a lawsuit which reveals how hackers were able to steal money with the victim's help—in this case, nearly $600,000!
Social engineering attack, the players
This business email compromise example involves the following players:
- Gary Bragg & Mel Staffin, partners in a real estate law firm (O'Neil, Bragg & Staffin)
- A hacker from "Cochen International Ltd." who poses as Gary Bragg (one of the law firm partners)
The hacker starts the BEC attack
Hacker (acting as attorney Bragg and writing to law partner, Mel):
"Hi Mel—are you going to be in the office tomorrow? I have a wire for $580,000 to send to Midtown Resources for an Eagle funding loan to them but this is going to Midtown Resources investment account in Hong Kong. Let me know so i can forward the wiring instruction to you first tomorrow, as tomorrow will be a busy day for me. Thanks. Regards, Gary
Mel's email reply: "I am in tomorrow"
Hacker: Mel—I just received Midtown Resources investment wiring instructions in Hong Kong, see below.
Bank Name: Bank of China HK Ltd
Bank Address: 774 Nathan Road Hong Kong
Swift: BKCHHKHH
Account Name: Cochen International Ltd
Account# 012-692-08439-8
Please transfer from our trust account, they need a swift copy once the wire is sent, email that to me once you take care of this. Thanks in advance. Thanks. Regards.
Mel's email reply: From which subaccount?
Hacker: From our trust account 49990 51003, sub #728. Thanks.
Mel: No time to do this right now. Will have to be tomorrow.
Hacker: Get this done first thing in the morning and email transfers swift copy once completed. Regards.
Mel: Sounds like an order.
Hacker: Tomorow will be a busy day for me and this needs to be out tomorrow. Appreciate your help.
Staffin: Me too
The wire transfer is made
What happens next? Staffin from the law firm believed the request was legitimate and, as the hacker requested, transferred $580,000 to the Bank of China account.
It was only after calling his partner in the hour following the transfer that both of them started to realize what had happened.
And as we post this story, the firm's stop payment and investigation involving Hong Kong police has only recovered $58,000 of the losses, which is what triggered the lawsuit where we discovered all of this information.
Facts the hacker got right in the attack
Remember, in a social engineering or business email compromise attack, the hacker must know details and facts that make the hacker seem legitimate so that victims will drop their guard.
In this case, look at the details the hacker knew:
- The hacker addressed his target by his nickname, Mel.
- The hacker referenced that he was busy, and Mel knew his partner was traveling in Seattle, so his request for help made sense.
- The hacker knew the name of the client, Midtown Resources.
- The hacker knew details of the "sub-accounts" where the money would come from.
- The hacker's email "spoofed" the law firm's email address, so it seemed to be from within the firm.
- The hacker's email contained the law firm's typical signature line.
How is this all possible? According to legal documents, the cybercriminal gained access to one of the attorney's inboxes and was waiting, watching, and studying the correspondence.
The hacker took time to put together the perfect crime. And they successfully kept more than $500,000 for their efforts.
The law firm sues Bank of America
We discovered this information after the law firm sued its bank, claiming Bank of America's Risk Department should have flagged the transaction or been able to stop the payment since it was notified in slightly more than an hour after the transfer request. Read the complete lawsuit here.
A judge just ruled in the case, and declared that the law firm requested the transfer so it (and the hacker) is indeed responsible for the loss.
Social engineering and BEC resources
If you'd like a crash course on these types of BEC attacks, check out the complimentary SecureWorld web conference, "Your Organization Through the Eyes of an Attacker," which is available on-demand and focuses on this tactic as well as steps to lower the risks of it happening.
Because as we learned in the case of the New Controller Who Falls for Hacker's Fake Emails, business email compromise can easily lead to losses in the millions.
Law firm hacker goes after even more cash
And in this case, the hacker made a second attempt to steal his way to seven figures. Following the transfer of $580,000 to the Bank of China, the hacker came back for more:
Hacker: Mel—Can you please share how much we have in trust account 49990 51003 as of today after the last wire to Midtown Resources. Thanks. Regards, Gary
Mel's reply: I'll call you
Hacker: Mel—okay can you call me after 1:30 p.m.
Please, I hope this is not stressful for you, can you please wire $980,000 to Midtown Resources investment account. Can you get this out today? I would appreciate your effort on this. Thanks. Regards, Gary
By this point, the jig was up, and both sides knew it. The law firm never transferred the additional money, and the hacker never contacted the company again.
When it comes to phishing and social engineering, hackers are upping their game. And it is working.
