The human resources manager tried to be calm and reassuring, but there still was a brief moment of panic: someone, somewhere, had tried to steal Robert’s salary.
As anybody with a mortgage knows, missing pay day by just one or two days could cause a lot trouble. The manager had received an Email that seemed to come from Robert (not his real name) - from an Email address that seemed to be his, using his standard, corporate email signature, perfect down to the smallest detail.
The email had instructed the manager, Jonni Learoyd, who works in the London office of global public relations agency Edelman, to change Robert’s banking details. “It’s just a courtesy call, not to worry – the email was flagged by the IT department as a phishing attack, I assume you don’t want to change your bank details, do you?” asked Learoyd. Robert certainly didn’t.
Email phishing scams of this nature are nothing new. But this one is different. IT security experts call them Business Email Compromise or BEC for short; a worker receives an email from a top boss, asking them to immediately wire a large amount of money for a big deal or acquisition to a specific account. Except the sender of the email is an imposter.
Many high-profile organisations have fallen victim to this type of scam; according to recent FBI research, BEC attacks cost businesses around the world £9.52 billion over the past five years. It can hit any type of company: last year, Italian top-tier football club Lazio wired a £2 million transfer fee payment to a fraudster. In the UK, Glasgow-based Peebles Media Group is now suing a former employee for transferring nearly £200,000 to criminals .
To stay one step ahead, the attackers are now moving down the value chain, targeting executives like Robert by going directly after the pay check. Typically, they ask HR officials to redirect relatively modest sums of money to a different bank account – say a few hundreds of pounds – in the hope that the monthly diversion won’t be noticed. It’s a very low-key approach, and by the time the employee notices and raises the alarm, it’s too late. In Robert’s case, the scammers made their move just in time for payroll and tried to redirect the salary in full. “This is the first time that we’ve come across a BEC attack attempting to intercept an employee’s salary payment,” says Mark Nicholls, director of cybersecurity at Redscan.
Edelman is a large corporation, so its IT department has software installed that automatically scans all email addresses, and flags whether they originate from inside the company, or are about to be sent to an external email address. So even if the email is “spoofed” to look as if it comes from a real email account, the software will spot the difference.
Smaller firms, however, are rarely that lucky. With few software checks, it may well be the visual inspection and IT threat awareness of a lone HR manager that’s the one and only line of defence. “In a small firm, such an attack could be a real threat,” says Learoyd. At Edelman, he personally intercepted four such phishing attempts just in the past two weeks. “I’ve talked about it with my colleagues in the HR department, and it’s clear that this type of scam is on the rise,” he adds.
While the particular approach of targeting HR managers is novel, it is still a BEC – and shows that criminals are becoming increasingly creative.
