Cyber Threat Scenarios – What might an attack look like?
Edited June 6th, by Kyle Langan
What is a business email compromise or email account compromise?
These cyber risks are financially damaging digital crimes. It exploits the fact that so many professionals rely on email to conduct business. “In a business email compromise (BEC) scam, criminals send an email message that appears to come from a known source making a legitimate request.” [1] According to a new report from Arctic Wolf, 70% of organizations faced business email compromise threats, with nearly 30% falling victim to at least one attack. [2]
Scenario: Email Compromise
Threat: Funds Transfer Fraud
An accountant at XYZ Inc. received an email from a familiar customer. The client’s Chief Financial Officer (CFO) frequently provides contracted services for XYZ in business-to-business transactions. In this email, the CFO instructed XYZ to conduct an ACH transaction for $160,000 owed on a recent invoice. The accountant tells the CFO, that to send and receive ACH transactions, XYZ must follow its procedure of approval, and reconciliation. Believing the request to be legitimate, the accountant proceeds with the transaction and initiated the transfer of company funds.
CFO: “I will notify you once payment is received and credits are applied to your account.”
Accountant: Payment for the 160k is in process at the bank, as soon as it is confirmed I will send a proof of payment.
Following up, the payment is confirmed by the bank so it is approved… will send the proof of payment as soon as it is available. In the meantime, I have attached a screenshot from the bank system stating the payment is confirmed.
CFO: Thanks so much!
Accountant: I have just sent another PDF showing it went through.
CFO: OK thank you, very good.
CFO: Our team has confirmed payment is in and approved from our side.
What went wrong:
The deceptive email came from a cybercriminal inside XYZ’s system, only posing as the client’s CFO through a manipulated email domain (this example also includes Spoofing). The $160,000 wire transfer landed in the criminal’s private bank account.
The accountant realized the request was fraudulent through a phone call with the client’s true CFO on a phone call the next morning. Realizing XYZ got deceived, he scrambled to call the bank, but the transfer had already gone through, making recovery increasingly difficult; 48 hours later, the cybercriminal moved the funds and dispersed them across multiple crypto accounts, making them even harder to track. At this point, the accountant had reported the incident to their manager. Facing financial losses, the organization plans “to react swiftly to prevent possible business disruptions and limit further damage.” [3]
Mitigation Strategy:
- Detection and research
- Submission of claim to XYZ’s Funds Transfer Fraud insurer
- Containment
- Recovery
- Communication
- Post-incident analysis [4]
- Improvements like Mutual Authentication
What is Spoofing, Phishing?
Spoofing: disguising an email address, sender name, phone number, or website URL—often just by changing one letter, symbol, or number—to convince victims they are interacting with a trusted source. [5] Criminals count on being able to manipulate victims into believing that these spoofed communications are real. Their goal is to lead victims “to download malicious software, send money, or disclose personal, financial, or other sensitive information.” [6]
Phishing schemes often use spoofing techniques to lure and get victims to take the bait. In a phishing scam, a victim may receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website. The web address might look like one you have used before. The email may be convincing enough to get you to take the action requested. [7]
But once you click on that link, you are sent to a spoofed website that might look nearly identical to the real thing—like your bank or credit card site—and asked to enter sensitive information like passwords, credit card numbers, banking PINs, etc. These fake websites are used solely to steal your information. [8]
Scenario: Phishing
Threat: Data Exfiltration, Ransom
A long-time employee and recently promoted director, William, at an international wholesaler received a text from a friend and trusted co-worker, Nikita, on chat through WhatsApp messenger. Nikita is one of the owners at their company.
The text encouraged the employee to download and review an attachment linked in a text, to prepare for an upcoming assignment. The following chat messages explained the assignment:
Nikita: Hey! Are you available?
William: Hey, morning, yeah, I have some time now!
Nikita: I am just finishing a call with my lawyer. I need your help, currently engaged in an acquisition and working on securing an offer for the group. I am part of an NDA and so for compliance purposes all exchanges regarding this offer must be monitored here over WhatsApp until the official announcement. Can you please review? I want you to manage the deal.
William: Of course, I will do everything I can.
Nikita: Your support is much appreciated. Thanks
What went wrong:
Upon downloading the attachment, William instantly launched malware on his device. [9] He was messaging with a criminal, not Nikita. Within minutes, the malware program infiltrated several systems and “encrypted a wide range of sensitive data, including confidential customer information and financial records. From there, the cybercriminal responsible for sending the phishing email and deploying the malware program displayed a message on the employee’s device, explaining that they had compromised the organization’s data and would only restore this information via digital encryption key in exchange for a wire transfer of $1 million to a private bank account, with a payment deadline set for Friday.” [10] At this point, William reported the attack to his manager. “Facing the potential loss of critical data, the organization needed to react swiftly to minimize widespread operational disruptions and reduce the risk of severe reputational damage.” [11]
Mitigation Strategy
- Containment
- Eradication
- Submission of claim to Cyber Insurer
- Recovery
- Communication
- Post-incident analysis. [12]
Business Email Compromise. (n.d.). https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/business-email-compromise
Arctic Wolf. (2024, May 21). The State of Cybersecurity: 2024 Trends Report. Arctic Wolf Networks. https://arcticwolf.com/resource/aw/the-state-of-cybersecurity-2024-trends-report
Cyber Incident Response Scenario – BEC SCAM. Zywave. (2024, May). https://content.zywave.com/
Spoofing and Phishing. (n.d.-b). https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/spoofing-and-phishing
Cyber Incident Response Scenario – Ransomware Attack. Zywave. (2024, May). https://content.zywave.com/