As an attack vector social engineering has been utilised in many different crime areas and cybercrime is no exception. In fact, many internet security companies continuously highlight the human factor as the weakest link in cyber security. Influencing people into acting against their own interest or the interest of an organisation is often a simpler solution than resorting to malware or hacking.
Both law enforcement and the financial industry indicate that social engineering continues to enable attackers who lack the technical skills, motivation to use them or the resources to purchase or hire them. Additionally, targeted social engineering allows those technically gifted to orchestrate blended attacks bypassing both human and hardware or software lines of defence.
2015 saw more replication than invention in this area. Law enforcement observed that techniques that used to work in the past continue to be recycled, polished and reintroduced. Nevertheless, several Member States noticed an improving overarching quality of phishing attempts and other scams.
There are several terms used to describe CEO fraud, including business email compromise and mandate fraud. The fraud involves an attacker contacting the victim and requesting an urgent bank transfer or a change of bank account details for upcoming transactions. This may be carried out through pure social engineering but the advanced forms of the compromise may be combined with hacking or even the deployment of malware.
Attacks are often preceded by a substantial amount of research and reconnaissance, mapping the organisations’ structure and behaviour of potential victims. Criminals target senior staff to take advantage of organisational hierarchies and the fact that more junior staff are less likely to challenge senior management. The perpetrators assume the identity of the CEO, president or a managing director to send a targeted email to a person in charge of making financial decisions, such as a CFO, financial controller or accountant. Letters, emails or phone calls also may come from outside the company, when a payment request is sent by someone purporting to be a trusted business partner or a lawyer.
The request is usually time-sensitive and often coincides with the close of business hours to make verification of the request difficult. Such attacks often take advantage of publicly reported events such as mergers, where there may be some degree of internal flux and uncertainty.
To avoid raising doubt, attackers will follow corporate procedure, using language that is often specific to the company. The payment method is also consistent with victim’s usual business practices, which is typically a bank transfer.
Several countries reported a notable increase in CEO fraud in the last year and identified it as a key social engineering threat, a view supported by the financial sector. Businesses of all sizes in both the private and public sector are targeted.
The fraud continues to affect tens of thousands of victims worldwide resulting in the loss of billions of euros67. The losses for individual companies were often in the hundreds of thousands or even millions. Despite the often considerable financial damages, victims do not always report such crimes to avoid reputation damage. This prevents law enforcement from obtaining a clear picture of the scale and scope of the threat. Where law enforcement has been able to investigate, it has been noted that some OCGs formerly engaged in MTIC fraud now appear to be involved in CEO fraud.
Sixty suspects, mainly from Spain, Nigeria and Cameroon, were arrested as part of Operation Triangle, coordinated by Europol and Eurojust and led by Italian, Spanish and Polish authorities with the support of the UK, Belgium and Georgia. The suspects utilised a combination of hacking and social engineering to monitor internal communication within medium and large European companies before requesting a bank transfer to accounts controlled by the criminal group.
Phishing has developed into one of the most widespread attack vectors, and can either be used on its own or as a preliminary step to a further attack. Some industry reporting indicates that phishing rates in general continued to gradually decline throughout 201568, although it had something of a resurgence in the first quarter of 201669. However, the overall decrease in 2015 is not consistent with the trends observed by the Member States, most of whom reported an increased number of investigations.
An explanation for this may be that while the use of scattergun, mass phishing campaigns may be in decline, the number of targeted, spear phishing attacks is increasing; a trend confirmed by industry. Such attacks, which are more likely to target higher value targets, are perhaps more likely to be reported to law enforcement.
The quality of phishing messages and websites is also increasing. It is not always possible for an intended victim to rely on poor grammar, spelling and punctuation, or simply poor drafting as an indication that a particular message may be fraudulent. Professional looking phishing websites continue to be generated by easy-to-obtain phishing kits that require little technical skill to be installed and customised on a remote server. To complement the theft of login credentials, phishing may also be used as an effective way to bypass two-factor authentication70.
The most common vishing71 scheme, commonly known as the “Microsoft support scam” appears to be limited to a relatively small number of Member States, although those affected continue to report a large number of incidents. In some cases, the scam has evolved from cold-calling unsus-pecting victims to the attacker fooling victims into calling them directly72. Member States have observed that OCGs have increasingly recruited or outsourced native speakers.
Phishing is not limited to desktop users. Phishing smartphone apps, particularly on the Android platform, often slip through the Google Play review process. These malicious apps collect credentials and other information and deliver it to the attackers. These applications are often downloaded from trusted locations and the phishing website is accessed from the app so that users do not see the malicious URL. E-banking and bitcoin wallet apps in particular are targeted73.
A wide variety of advanced fee frauds continue to be reported to law enforcement. Of these, romance scams, which can result in both monetary losses and psychological damage, are one of the most commonplace. Despite media coverage and prevention activity in many countries, this type of crime has increased across several Member States.
Another common method highlighted by law enforcement includes scams that react to the latest geopolitical developments, for example fraudsters presenting themselves as US soldiers serving in Afghanistan or similar locations. Alternatively, criminals may assume the identity of a female refugee requiring financial support.
Many perpetrators of these offences seem to originate in developing countries. The multi-jurisdictional element of the advanced fee frauds in combination with their high quantity contributes to a generally low detection rate for these offences.
As the quality and authenticity of phishing tools and services continues to increase, we can expect the increase in targeted spear phishing attacks to continue. With the availability of such tools, we can perhaps expect the mass, scattergun phishing campaigns to become more associated with low skilled cybercriminals, new to the arena, while experienced and more skilled attackers focus on targeted attacks. However, it is as likely that any attack method that generates profit will be used by all levels of criminality.
As existing and emerging social networks and social apps consider the incorporation of some form of payment, perhaps through virtual currencies74, we can expect criminals to take advantage of these platforms which efficiently combine both the stage upon which they can socially engineer their victims and obtain payment from them.
