Catches of the month: Phishing scams for December 2019


Want to stay up to date on phishing scams? Our ‘catches of the month’ feature reviews the most prominent attacks across the web, explaining how they occurred and the steps you should take to stay safe.

This month, we bring you a multimillion-dollar BEC (business email compromise) scam and look back on Black Friday, in which cyber criminals looked to capitalise on our eagerness to find great deals.

Nikkei employee tricked into handing over $29M to scammers

An employee at Nikkei America, a subsidiary of the Japanese media giant, fell victim to a scam that cost their employer $29 million (about £22 million).

In a press release, Nikkei confirmed that the fraudster emailed the employee posing as an executive.

The organisation has disclosed few other facts in order to maintain “the confidentiality of the investigation”, but security researchers suspect that the attack was a form of BEC in which a third-party breach leads to the attack.

These attacks begin with a spear phishing attack sent to someone in the organisation who handles payments.

Once the scammer has access to an account, they’ll monitor the victim’s email account, learning about suppliers and projects, seeking an opportunity to lay their trap.

This often involves sending a fraudulent invoice that requests payment to a bank account that the criminal controls.

BEC scams have been on the rise in the past year, according to the FBI’s Internet Crime Complaint Center. It identified a 100% increase in financial losses between May 2018 and June 2019.

There have been more than 166,000 incidents in the past three years, resulting in losses of $26 billion (about £20 billion).

The attack on Nikkei is by far one of the most lucrative BEC scams conducted. Indeed, in terms of immediate financial losses, it’s one of the biggest cyber crimes ever.

Preventing BEC scams

This incident exposes the problem of allowing an employee to make large transactions without any oversight.

Without seeing the fraudulent email in question, it’s hard to say how obvious it was that it was a scam, and how big a staff awareness failing it was. Regardless, every employee should be able to spot suspicious emails, and they should be extra vigilant when emails request large sums of money.

Nikkei says it recognised that it had been the victim of fraud “shortly after” the attack occurred, but not quickly enough to prevent the payment.

It is “taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations”.

See also:

Black Friday and Cyber Monday shoppers targeted on social media

Cyber security firm ZeroFOX said that it detected 61,305 potential scams in the weeks leading up to Black Friday.

This shouldn’t come as a surprise, given that the Black Friday weekend is one of the biggest shopping days of the year – and not just in the US. The Guardian reports that spending was once again up 16.5% in the UK compared to last year, which would mean shoppers forked out an estimated £1.7 billion.

With so many transactions taking place and people desperate for a bargain, it’s a prime opportunity for cyber criminals to scam shoppers.

But surprisingly, the most common type of scam this year didn’t involve online retailers like Amazon but physical shops offering in-store bargains.

In an interview with Threatpost, Ashlee Benge, one of the researchers behind ZeroFOX’s report, explained that this was probably because more people would be shopping in shops than online, so scams targeting chain stores would have a wider appeal.

Impersonating these shops also helps criminals create more believable and targeted scams. Referring to a specific retailer might spark the idea of a certain item that the victim wants, leading them to click the link.

By contrast, scams advertising Amazon are less likely to be clicked, because anyone who sees it and is looking for a Black Friday deal will probably already have visited the site.

The most common type of attack involved scammers sharing links on social media that advertised gift cards or free goods. Users who click the links were sent to a bogus domain that either plants malware on their device or attempts to steal personal details.

Benge noted that scammers were getting much better at creating the same sense of urgency in these posts as they do in traditional phishing scams.

The limited time offer of Black Friday clearly helps, as do eye-catching graphics and smart phrasing.

Similarly, by being placed on Twitter and Facebook, the scams have a much more public reach, particularly when they tap into hashtags like #BlackFridaySales.

Spot a scam before it’s too late

As we’ve shown here, phishing scams can be tough to spot if you’re not up to speed on the tactics cyber criminals use. This can be particularly dangerous in the workplace, because it’s not just your security that’s at stake but the entire organisation.

You can make sure your staff are equipped to defend against scam emails with our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the ones above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.

Find out more