Scammers in Nigeria are believed to be behind a significant increase in business email compromise attacks, according to a report today from IBM’s X-Force Incident Response and Intelligence Services team.

The BEC campaigns are said to be targeting accounts payable personnel at Fortune 500 organizations. They’re focused on credential harvesting, phishing and social engineering to steal financial assets via wire transfers.

The campaigns, which are already believed to have been successful in stealing millions of dollars, compromise legitimate email accounts within a given enterprise without compromising the network. Once through the door, the scammers use compromised accounts to impersonate a company employee to trick other employees to hand over details, with the ultimate goal of diverting payments to an attacker-controlled account.

Attackers are claimed to be specifically targeting companies that use single-factor authentication and an email web portal, for example, Microsoft Office 365.

“To successfully scam companies without special tools or malware, the attackers used sophisticated social engineering tactics that prey on flaws in common accounts payable processes,” the report states. “X-Force IRIS assesses the attackers carefully chose to impersonate vendors or associated companies with established relations to the client and target specific people in the organizational chart to increase the believability of the scam.”

The report warns that attackers are continually honing their craft to create more believable scams and increase the difficulty in identifying falsified emails. “Simply training employees on phishing threats and BEC scams is not always sufficient,” it notes. “Implementing key security features and revisiting internal processes can help reduce the risk of being targeted by a low-tech, social-engineering campaign.”

Those recommendations include enterprises introducing two-factor authentication for account logins so as to limit the capability of scammers to use stolen credentials; the creation of banners that identify emails coming from an external email address to allow employees to judge instantly if an email has come from outside the enterprise; a block on the ability to autoforward emails outside of the organization; and the implementation of strict wire transfer policies, including the use of digital certificates and time delays on requests for international transfers.

“In 2018, it’s estimated that BEC attacks will result in over $9 billion in losses,” a spokesperson for IBM X-Force told SiliconANGLE. “Interestingly, at the end of 2017, X-Force IRIS predicted that attacks both targeting and from Africa would be on the rise in 2018. This active campaign reinforces that attacks from Africa will be important to watch in 2018.”

Photo: amrosario/Flickr