JRB - Fotolia

UK impersonation fraud up 39% in last quarter of 2016

Just ahead of the end of the UK tax year, a survey underlines the importance of guarding against business email compromise aimed at stealing data and money

The use of fake or compromised email accounts to steal information increased by 39% in the last three months of 2016, a newly published UK survey has revealed.

By pretending to be someone in authority, such as the CEO or chief financial officer, attackers can trick people into sending them confidential data such as HR records or tax data.

Some 19% of UK respondents to a poll by email security firm Mimecast admitted that sensitive data from their organisation had been sent via email by an employee in response to a phishing email in 2016.

Nearly a quarter of UK respondents admitted they had suffered a loss of confidential data due to email-based impersonation attacks in 2016.

The practice, known as business email compromise, CEO fraud or whaling, is also commonly used to trick people into making money transfers to accounts controlled by cyber criminals.

The survey found that 17% of the 150 IT leaders polled in the UK said their organisations had suffered direct financial loss.

The survey’s findings are consistent with what the UK’s National Crime Agency (NCA) is seeing on the ground, which is that email spoofing, or creating email messages with a forged sender address that appears to come from a company executive, is increasingly being used to trick staff into sending confidential data or money.

Read more about business email compromise

Business email compromise is rising rapidly in the UK, Mike Hulett, head of operations for the NCA’s National Cyber Crime Unit (NCCU) told Cybercon 2017 in Plymouth.

“These attacks have become increasingly sophisticated. They have moved beyond simple phishing emails, with cyber criminals monitoring potential victims for months to work out their level of authority, when the chief of finance goes on holiday, and who does what to the social engineering email,” said Hulett.

Ensuring businesses are safe

In the run up to the end of the UK tax year, the survey highlights the importance of ensuring that businesses are safe from this type of attack.

However, the survey also found only a third of UK organisations surveyed have conducted impersonation fraud security training around tax certificate submissions.

“Impersonation attacks via email have grown, and are now the easiest way for criminals to steal money and valuable data,” said Pete Banham, cyber resilience expert at Mimecast.

“Unlike typical phishing scams, impersonation attacks rarely include a malicious link or attachment, bypassing many traditional security detections,” he said.

Convincing email requests

According to Banham, the language and phrasing of the email requests is designed to sound just like those that might come from CEOs, HR and finance staff.

“Emails may begin with a simple greeting, such as ‘Hello, how are you?’, before asking for P60 tax data or some other sensitive document,” he said.

Criminals will often register similar domain names to target companies or pose as employees using their personal webmail services.

“All organisations need to conduct specific training for this type of impersonation attack,” said Banham.

Lessons to be learned

On 21 March 2017, the US department of justice charged a Lithuanian man with stealing more than $100m from two US companies using fraudulent emails.

According to the indictment, Evaldas Rimasauskas registered a company in Latvia with the same name as an Asian-based computer hardware manufacturer.

He also allegedly opened various bank accounts in the company’s name and set up fake email accounts, which he used to trick employees at two UK companies into sending payments for goods and services received from the Asian company to the bank accounts he controlled.  

Acting US attorney Joon Kim said: “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”

Read more on Privacy and data protection