LAKE MARY, Fla. — A first-of-its-kind study investigates exactly how cyber-criminals use email phishing attacks to steal billions. The study includes surprising new information about the tactics criminals use, how quickly they attack, and how compromised emails are used to commit fraud.
Cybercrime is a growing concern in the United States and has become one of President Biden’s top priorities. A recent ransomware attack shut down the Colonial Pipeline, leading to long gas lines and driving up prices.
Days later, another attack targeted JBS, the nation’s largest meat supplier.
Just last week, we learned 200 U.S. companies were affected by a ransomware attack that started when hackers hit a Florida-based I-T company.
Meanwhile, federal agents are still assessing damage from the SolarWinds hack, which was discovered last December.
Experts have described that as the nation’s largest cyber-intrusion to date, with the City of Tampa listed as one of 18,000 entities whose computer network was potentially compromised.
But the FBI says "business email compromise," or BEC attacks account for the largest losses when it comes to cyber-crimes.
“$1.8 billion was lost in 2020 alone from BEC attacks,” said Crane Hassold.
Half of accounts accessed within 12 hours, 91% within a week
Hassold recently oversaw a study for the internet security company Agari.
The company created fake email accounts, then used them to sign on to known phishing sites, most of which appeared to be legitimate business pages for companies including Dropbox, DocuSign and Microsoft 365.
“Over about a six-month period, we were able to identify more than 8,000 of these phishing sites and seed our credentials into them,” Hassold said.
Then they observed how quickly the accounts were compromised.
Half were accessed within 12 hours, 91% within a week.
“We saw attackers from 44 different countries all around the world,” Hassold said. “We already know a lot of money is being lost from these attacks. It hasn’t been clear what the behavior looks like, what the attacker behavior looks like behind the scenes.”
“It was my life’s savings”
Some accounts were used as hosts to send other phishing emails.
“We were able to see one actor that tried to send 12,000 phishing emails to real estate and title companies in the U.S. after the account had been compromised,” Hassold said.
Those were intended to commit wire fraud, with scammers targeting emails of people involved in real estate transactions.
“I had no idea. Nobody ever even warned me about it,” said 25-year-old Carly Andreatos.
She and her husband Joseph were in the process of buying their first home in late April when they received wiring instructions in an email that appeared to come from the paralegal assisting in the transaction.
Andreatos didn’t notice grammatical errors in the email.
The office phone number for the law firm had a different area code than the firm’s location.
Yet Carly sent her $22,893 down payment to the account number shown in the email.
"It was my life’s savings,” she said.
When she called to make sure the transaction went through, she learned it went to the wrong account.
“They’re like oh no, no, no, that’s not our account number. So I immediately hung up the phone with them, I called my bank, put a recall on it,” Carly said.
She alerted authorities before the money left the country.
The account has been frozen, so she hasn’t been able to close on her home, but she has been told she will be able to recover the money.
FBI: $115 million in losses from Florida victims
Others are not so lucky.
The FBI reported 1,381 victims of business email compromise in Florida last year, with losses of more than $115 million.
Many were small business owners, whose email accounts were hacked.
Criminals then sent invoices to their customers, who wired payments to the bad guys’ accounts.
“They ask for a payment that’s actually due. Creating a very realistic-looking email,” Hassold said.
Hassold says business email compromise is on the rise because it works.
“They’re all exploiting very much the same type of human emotions… fear, anxiety, doubt, reward,” he said.
Carly wishes she had been more careful verifying the email before she sent money and hopes others can learn from her mistake.
“It’s gonna make me quadruple check the next time I buy a house,” she said.
The Internet Crime Complaint Center has information about how to recognize and report cybercrime and tips to keep you from becoming a victim.
If you have a story you think the I-Team should investigate, email us at firstname.lastname@example.org.