Email Still a Magnet for Cyber Criminal Activity, Costing Victims $3 Billion

Business email compromises—when legitimate business email accounts are taken over by scammers in an effort to get their targets to send them money—have risen by 1,300 per cent since January 2015, resulting in over $3 billion in losses, according the Federal Bureau of Investigation.

And that’s just one part of the changing online threat landscape, according to a report released earlier this week by IT security company Trend Micro. It says that ransomware scams—where malware locks a victims computer or encrypts their files until a “ransom” is paid—are also on the rise.

During the first three months of 2016 alone, the FBI estimates that ransomware cost businesses  over $209 million.

And even if businesses refuse to pay the ransom, they can still face losses.

“Aside from ransomware helping cybercriminals extort money from businesses, they had also caused businesses to shut down temporarily as productivity and daily operations were affected,”  the report says.

While authorities discourage the paying of these ransoms, many organizations do. The Hollywood Presbyterian Medical Center paid out $17,000 to ransom their systems, while the University of Calgary paid $16,000.

The majority of ransomware discovered by Trend Micro came from spam emails. That accounted for 58 per cent of the ransomware discovered by the company. Another 40 per cent came from URLs hosting ransomware files.

It also says more varieties of ransomware are being found now. In the first half of 2016, Trend Micro says 79 new ransomware “families” were discovered, that’s compared to 29 new ransomware “families” discovered in all of 2015.

While ransomware relies on technology, business email compromises rely on a lower-tech tactics – the same techniques that con artists have used for generations.

“The  effectiveness of BEC scams lies in the techniques employed against its preferred targets. Attackers are able to deceive victims by combining their knowledge of social engineering techniques and well-researched information about the target. Most of the time, attackers behind BEC scams impersonate people who have access to a company’s finances—may it be a company’s CEO, managing director, CFO, or even financial controller,” the report says.

Companies based in the United States are the main target for BEC attacks, according to Trend Micro, over 2,000 U.S. companies were targeted during the first half of 2016.

New technologies are also opening new doors to criminals.

Trend Micro says that a growing of vulnerabilities are being found in internet-of-things platforms and that point-of-sale terminals are also being targeted by online criminals.

“In June, we detected a new point-of-sale malware that was equipped with fast and efficient credit card theft capabilities. We named it FASTPoS because of the malware’s capability to quickly send data from a swiped card to the attackers, instead of sending captured data periodically,” it says.

That malware has affected victims from Taiwan, Japan, Hong Kong, Brazil, France, Iran and the United States.