November 6, 2009

FBI Warns of Recent Phishing Campaigns Leading to $100 Million in Attempted Losses


Targeted Spear Phishing Attacks Steal Corporate Online Banking Credentials – What Should Businesses do to Protect Themselves?

Credit Card


The FBI recently revealed a sobering statistic – email phishing attacks and malicious Trojans targeting public institutions and small-to-medium sized businesses (SMBs) have led to approximately $100 million in attempted losses in the past several months. The phishing emails mainly hit SMBs, schools, court systems and other public institutions and contain either a malicious file attachment or a URL to an infected Web site.

This kind of attack is known as a spear phishing campaign because the emails are sent to a very specific, targeted group of people. In this case, the phishing lures went to individuals within an organization who can initiate funds transfers and other banking tasks on behalf of the business. Once the recipient is fooled into downloading the attachment or visiting the malicious Web site, the attacker is able to steal the corporate online banking credentials and use them to transfer funds to their own accounts. The funds were typically in increments of less than $10,000 to avoid drawing attention under the banks' anti-money-laundering reporting requirements.

Phishing campaigns and other types of malicious spam emails are nothing new.  The Websense ThreatSeeker® Network, which delivers security intelligence to all Websense products, scans nearly 10 million emails each hour for unwanted content and malicious code. During the month of September alone, it identified approximately 85 percent of all these emails as spam. Nearly 85 percent of all spam emails included an embedded URL, many of which led to malicious Web sites, and approximately 5 percent of all spam emails scanned during September were targeted phishing attacks.

Although phishing campaigns are not new, what’s perhaps most shocking about the FBI report is how successful the recent attacks have been – given the huge amount of money stolen in just the past several months. Obviously the attackers are becoming very sophisticated in not only who they target, but also in the social engineering tactics they use to trick their victims into disclosing credentials, running a malicious file or visiting an infected Web site. Even FBI Director Robert Mueller admits to nearly falling for a phishing scam that appeared to be an email from his bank – his wife has since banned him from doing the family’s online banking.

It’s important to note that the FBI is not saying that people or businesses should refrain from banking online. However, businesses and consumers alike must take the proper precautions to ensure that their data is safe. In addition to educating employees on safe online practices, businesses need the right technologies in place to enforce their security policies – and today that doesn’t mean simply firewalls and anti-virus programs. Today’s sophisticated attacks deliver blended threats that span multiple attack vectors (i.e. spam emails that contain links to malicious Web sites harboring data-stealing malware.)

The Importance of Integrated Web, Email and Data Security

Many organizations today still try to protect their Web and email communication channels with independent security tactics for each channel and each communication direction: they use email and content filters on outbound communications, separate inbound filtering for spam and viruses entering the network, and Web filtering to block employees from visiting inappropriate Web sites. These separate silos look at the URLs or the email headers, but not both, and they rarely pay attention to the data itself or proactively block its outbound transmission. They react based on a historical view of threats built on outdated inspections, signatures, reputation and behavior. Blended threats easily bypass these inspections by morphing and moving around the Web while stealing data.

Only a unified content security suite that fully integrates Web, email and data loss prevention can protect businesses and their essential information from blended threats. The Websense essential information protection platform is the only unified content security solution to provide comprehensive protection from blended threats. In the case of these recent spear phishing campaigns, Websense email security would identify and block the phishing email from ever entering the organization’s network, scanning the message for malicious content and applying Web security intelligence to identify and block any embedded URLs that lead to malicious sites. Websense data loss prevention technology would ensure that confidential information is not sent to any unauthorized destinations, whether at the users hand or as a result of a machine infected with a Trojan or other piece of malware. This kind of unified content analysis is unique to Websense, and provides organizations with greater overall security through integrated Web, email and data security intelligence.

Sophisticated spear phishing campaigns like the one the FBI warns about will continue to happen. Businesses cannot realistically stop using the Internet for banking or other business transactions. The only way to protect its essential information and prevent fraud is through a combination of security policies, employee education and technology.


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.