Why Phishers Like B2B

Hacker Tracker Email Phishing

Businesses, get ready: The phishers are paying more attention to you.

No company has ever been completely safe from criminals, whether it’s the type that steals in person or the hackers who do it digitally. But there is mounting evidence that phishers are turning more attention to enterprises and away from individuals — and at a time when pretty much every industry is moving away from a reliance on analog processes and toward more digitalization.

“Threat actors are targeting enterprises by impersonating the services that enterprises rely on every day, such as email service providers and software as a service (SaaS) platforms,” said PhishLabs in a recent summary of the changing nature of phishing attacks.

In fact, email and online services accounted for 26 percent of phishing attacks last year, overtaking financial institutions (21 percent) as the top phishing target, the company said. Attacks involving SaaS increased 237 percent year over year. PhishLabs noted that phishers can use stolen corporate credentials to steal data, access corporate systems or (sell) them to the highest bidder.

Cloud Targets

Other figures from the first quarter of 2018 show that 299 brands suffered phishing attacks during that period, up about 15 percent quarter over quarter. Those attacks include targets from a “more diverse set of brands” than in the recent past, with cloud storage providers now appearing in the top 10 most targeted during Q1.

Financial institutions were the most common phishing targets during that period, accounting for 40 percent of attacks, followed by digital transaction providers (20 percent), large tech companies (10 percent), major health insurance providers (10 percent), cloud storage providers (10 percent) and social media platforms (10 percent).

In addition to that, the Better Business Bureau recently released a report with results from a survey conducted among 1,200 SMBs across the nation, showing that scams are a growing risk for businesses. Two thirds of those surveyed said they have been targeted by a scammer in the past three years.

B2B Payments Problems

A main vulnerability stems from B2B payments.

“Supplier/partner phishing attacks are common, because it’s a trusted relationship,” according to another analysis, this one from Chris Stegh, chief technology officer of Enabling Technologies Corp. “Most common are when the supplier gets phished, and the attacker sends official-looking invoices from the supplier’s account.”

B2B payments takes in a variety of industry and methods, but, in general, those payments and the processes associated with them are slowly becoming digitalized. That could lead to new types of phishing attacks, or attacks that are more frequent.

For instance, Stegh describes a B2B phishing scam that led to a $320,000 theft, and which involved an “official-looking invoice (that) came from a look-alike domain that the attacker had set up to catch the customer off guard. Prior to them sending the legitimate-looking invoice, the attacker had phished and viewed the customer’s email account. They must have been thrilled to see invoices received from this supplier in the past. They then created a new domain and email alias, which nearly matched the supplier’s legitimate domain, but with a slight typographical difference.”

That phishing technique is called “typosquatting,” and Stegh warned that people handling B2B payments should educate themselves about it — and also double-check via phone before paying invoices.

Other Weaknesses

Social engineering” is another tactic seen in business phishing attempts. Criminals will study corporate directories and other sources of information. Then — ideally during a time when a business is facing deadlines, when employees are under high pressure and might be off-guard — the criminals will name-drop executives’ names in a phishing email that also seeks to play upon a recipient’s greed, perhaps via an offer for a free trip.

Simple lack of preparedness is also behind the apparent shift toward more business-targeted phishing attacks. That holds especially true for small- and medium-sized businesses.

“Increasingly, the most damaging threats to revenue for small businesses are found online,” said Cory Capoccia, president of Womply, which recently launched an anti-fraud product designed for small businesses. “Most brick-and-mortar businesses have security systems to protect their physical property and credit monitoring for financial security, but they don’t have a solution for online threat monitoring to manage their online presence and protect them from nefarious activity like phishing schemes.”

Marketers, too, are worried. One survey found that while 75 percent of them consider data breaches to be a real threat, only 48 percent have the technology to deal with digital attacks, and 27 percent are unsure they would even know what data would be stolen in such attacks.

The ongoing move to digitalization will bring efficiencies and cost reductions to businesses of all sizes and types. But you can be sure criminals will make the necessary shifts, finding any exposed point.