BENGALURU: Do you know anyone who has received a fake job offer from a credible email ID? An average of 10 to 12 cases of fake job offers are being reported every day in Bengaluru, and the numbers have been on a steady increase. There are over 3,600 spoofing sites that can clone an email ID and generate fake email IDs of multi-national companies.
The fraud, called ‘Business Email Compromise’ or BEC attack, is taking the world by storm and Bengaluru is no exception. A police official says that among all online fraud cases registered, around 39 per cent are related to job frauds. This mainly includes email compromise, frauds committed using job portals and sending job offers by cloning genuine email IDs.
A week ago, a white-hat hacker Ajay John (name changed), became a victim of this attack. But thanks to his adept skills and awareness, he did not have to pay a heavy price. Ajay had his job profile up on job websites, and received an SMS and an official-looking mail from a leading commercial vehicle manufacturer. With a proper offer letter and signatures in place, no one would have guessed the offer was fake. However, a deposit of `9,000 was asked of him and he knew it was a scam.
“When I said I wouldn’t give the money, their company threatened to blacklist my profile on a job site. So instead, I blacklisted his fake email ID and fake blogspot website,” says Ajay.
Not everyone can identify a BEC attack. In a recent incident that came to light in January, Roopa B (name changed), a 22-year-old engineering graduate from the city, was scammed of `50,000 after she fell prey to an offer letter from a multinational company. The email ID was genuine and so was the offer letter. “The company is yet to respond to my offer letter. An FIR has been lodged,” says Roopa.
Ajay warns that young millenials are at major risk, especially those who are fresh out of the college and are looking for jobs.
Thriving method to cheat
In June 2016, FBI statistics showed that BEC scams cost businesses $3.1 billion in the US. K Mookhey, CEO and founder of Network Intelligence, a global cyber security firm, says that fraudsters, get access through the domains and send fraudulent emails to rob money. “This remain unnoticed to genuine user many times,” he says.
“BEC attacks aren’t your normal phishing or malware campaigns, and their lucrative nature is contributing to their popularity among hackers,” says Nilesh Jain, vice president – South East Asia and India of Trend Micro, an enterprise that offers cyber security solutions.
“Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses,” he adds.
How is BEC done and how can we tackle it?
During Trend Micro’s tracking efforts, they managed to narrow down BEC attacks to two main techniques: the first one is, credential-grabbing, which involves the use of keyloggers and phishing kits to steal credentials, and access the webmail of target organisations. And the second is through email only, which involves an email sent to someone in the finance department (usually the CFO) of the target company.
The attackers design the e-mail to make it look as if a company executive sent it, typically instructing the target to transfer money. The transfer request is usually for payment to a supplier or contractor, or as a personal favour,” says Nilesh. Credential grabbing-techniques can further be categorised into those that use malware and that use phishing. Email-only BEC attacks use social engineering techniques. “An email-only attack uses more sophisticated methods to exploit the human psyche,” Nilesh adds.
The only way to beat this type of threat is to implement a layered security approach and ensure that each element works well together to detect, mitigate and prevent BEC. Ajay says that the first hint should be taken when the concerned company asks for money. Also, the IP address should be checked. “The IP address of the main company and the scamming ones are distinctly different,” says Ajay. Some of the easy techniques used is tracking the number through apps such as Truecaller or GPS tracker.
Some popular apps to secure you from a BEC attack are Vovox Lifehacker, Spoofcard Tracebust.