Email phishing is far more sophisticated than it used to be—and even you could fall for it
Say you receive an email saying, “We have kidnapped your child. To verify that we are telling the truth, just call your child’s cellphone. To get your child back, you need to send us $10,000 within one hour. We will send instructions in a separate email. Do not tell anybody—or else.”
Chances are you’d pick up the phone and call your child. Imagine the chill along your spine when a stranger answers, “We have your child.”
And yet this is such a simple scam. Attempting it requires just two things: your email address and the online account password associated with your child’s phone number. With that information, a scammer can forward your calls to your child’s phone number to his own prepaid phone. There’s no need for him to have your child’s phone, or even know what country you or your child are in.
This frightening scenario illustrates the power of targeting, and it suggests that anyone can fall for a gambit if it’s clever enough. All it takes is for a scammer to capture a few pieces of your information, something that could happen even if you’re very careful. That’s because many companies that have your data are not careful with it.
These scams are quite different from the old “Nigerian prince scam,” which caught only one recipient in 20. Those scammers would often openly state their association with Nigeria simply to make sure they would get responses from only the most naïve potential victims. This screening avoided fruitless exchanges with possible victims who would eventually get wise to the scam. However, scammers are increasingly focusing [pdf] their attention on more sophisticated victims because that’s where the money is.
One of the most polished deceptions is the Business Email Compromise (BEC) scam, also referred to as “CEO fraud” and “whaling.” The ruse has been used to take countless millions of dollars from enterprises, with the unwitting collaboration of employees. The thieves typically impersonate a trusted party, such as the chief executive officer, and ask a key employee to transfer money for a seemingly plausible reason: “We have closed a secret acquisition and need the funds transferred by close of business today. This is still secret per SEC rules, so please do not discuss with anyone.”
We’ve got a way to defeat these insidious scams: Use programs that emulate the judgments of a human expert. The best security measures are those that don’t require constant vigilance because they work automatically. So we have devised an expert system that does some things people cannot do, while carrying out those rules of Internet “hygiene” that people are told to follow but often ignore. The system uses new methods of detection, including story-line detection and language analysis. Full disclosure: We’ve started a company, ZapFraud, located in Portola Valley, Calif., that sells this software and focuses on defeating targeted email scams.
People between 50 and 59 years old are the group most heavily targeted by email scams, according to the 2014 Internet Crime Report, produced by the FBI and the Internet Crime Complaint Center. Men are particularly liable to fall for vehicle scams, such as buying cars from fake sellers or selling cars to scammers who pay with forged bank checks. Men in their twenties who fall for this scam lose, on average, US $2,000 per reported incident; men over 60 lose more than twice as much. For women, the main scam involves the opportunity to build relationships with handsome, successful men (who of course never show up), with average losses among women in their sixties exceeding $27,000 per incident.
Yet these figures grossly understate the problem because most scams are never reported. Victims are often too embarrassed, resigned, or depressed to go after their antagonists. And there is no incentive to file a police report: Insurance does not cover scam losses because the risk that the purported victim may himself be a scammer is too high. The police, in any case, are largely incapable of addressing Internet crimes because they lack the technical skills and because jurisdiction is rarely clear. For example, if you live in London and a scammer in Chicago uses your credit card with an online merchant in Miami to ship a product to Nigeria, which law enforcement agency should you call?
Individual victims are not alone—enterprises are also increasingly targeted. The FBI reports a 270 percent rise in reported cases of Business Email Compromise since the beginning of 2015, with many millions of dollars reported lost. As with the crimes against individuals, the true number of scammed businesses is probably much greater.
Scams targeting companies harm us all because every such breach turns up mounds of data from those companies’ customers (and also incurs expenses that inevitably trickle down to consumers). When Home Depot and the health-insurance company Anthem were breached in 2014 and 2015, the personal data—including email addresses—of tens of millions of Americans were stolen. The contextual information to which hackers gain access makes the stolen email addresses much more valuable, as it allows them to automatically create targeted attacks. And by fattening scammers’ profits, every success funds research that scammers use to commit more fraud.
Spam filters are worthless against targeted attacks. Classic spamming relies on the sheer volume of emails to make up for the very low response rate. The mass mailings usually contain common keywords—such as “Viagra” and “Rolex”—corresponding to what the spammer wishes to sell. As a result, spam filters—generally installed by email service providers—identify email accounts sending abnormally large numbers of messages, and look for the common keywords (as well as slight variants of these, such as “V1agra,” “V.i.a.g.r.a,” and “Vi@gra”). Spam filters also use recipient feedback as an indicator—did many recipients place the email from a particular sender in their spam folders? Did they leave the email unanswered? But targeted scams circumvent these mechanisms because they appear to be credible emails and usually bypass the spam filters. The victim is far more likely to be fooled by them, too.
Targeted scams rarely revolve around specific keywords. Instead they rely on a small number of story lines whose formulation is frequently changed. This novelty makes the messages much more convincing to both the spam filter and the human being on the other side of it. Thus, these criminal messages can enjoy a high rate of success even when sent out in small volumes, which allows them to further elude detection. And when at last—if ever—the email service providers realize that the sending email account belongs to a scammer, the scammer simply abandons that account and creates a new one. It’s like a game of Whac-A-Mole.
The most well-constructed targeted scams use emails from the email accounts of people the recipients know and trust; the scammers get access to these accounts by guessing or stealing the passwords and user names for these accounts. In other scam messages, the sending address is a “spoof,” again to make it appear that the message is sent by a trusted party. Another very common kind of targeted spam comes from email accounts whose addresses are deceptively similar to those of trusted contacts—like “email@example.com.”
A number of companies have tried to counter targeted scams. For instance, Microsoft and the information-security company Cloudmark have products that protect enterprise users against email scams in general and BEC scams in particular. However, these companies mostly rely on big-data methods, which involve training artificial intelligence programs on large quantities of both good messages and scam messages until the programs can recognize the difference. But because it takes time to accumulate such databases, these methods are slow to react to changes in scammer strategy.
Our algorithms, by contrast, are based on a structural understanding of scammers’ methods, including their techniques of persuasion. One tool we’ve developed looks for scammy story lines. Another considers who sent the email, whether the sender has a long-standing relationship of trust with the recipient and, if not, whether the sender’s email address is deceptively similar to that of a person or institution who does have such a relationship. Yet another tool looks for such red flags as the use of a reply-to address (more on that later). Our system then combines the results of all these tools to calculate the level of risk and to classify it. Is it a spoofed email? An email sent from a corrupted account or a deceptive domain? The system then acts according to the risk and classification by discarding the email, quarantining it, marking it with a warning, or simply delivering it to the inbox.
The software processes all incoming emails. An enterprise can either run the tools as a mail filter (a “milter”) or route incoming traffic through a filter in a virtual, or cloud-based, network.
To get an idea of how all this works, consider this email:
“You may be surprised to hear from me, since we do not know each other, but we are both related to a man who unfortunately has passed away quite some time ago, leaving a $2.7 million estate with no named heirs. We have only until the end of next month to state our claim, or the money will be confiscated by the government.”
This email has five basic elements: a greeting from a stranger; an expression of surprise; a mention of death; a mention of money, lots of it; and a call to action—you need to respond now.
This is the inheritance scam, and our system can spot it no matter how much the scammer may tinker with the wording. Although there is an almost limitless number of ways to write an inheritance-scam email, there aren’t all that many ways of explaining why an email from a stranger deserves to be taken seriously. For example, imagine that one email contains the text, “You may be surprised to hear from me, since we do not know each other,” and a second email instead contains the text “Dear sir/madam, my name is...” Both of these are obvious indications that the message is from a stranger. Another clue emerges simply from considering the sender of the email—has this person ever corresponded with the recipient? If the answer is yes, then the sender might actually be a relative or a friend, and even a message dealing with an inheritance might be given clearance and passed along.
Story-line detection works on only some types of scam emails—such as inheritance scams and stranded-traveler scams (“Mom, I’m penniless in Paris. Please send money”). We have developed other filters to identify many categories of scams. For example, there is classification by style. Much as you can guess the age of a movie from the slang in the dialogue, so can an algorithm catch formulations that are commonly used by scammers. Such formulations change slowly because scammers, like just about everybody, prefer to reuse successful gimmicks.
We also apply a barrage of statistics to messages. To formulate this technique, we began by taking a representative sample of everyday language and counting the frequencies with which important words appear.
After that, we compiled a training set of confirmed scam messages—more than 200,000 of them are now in our database. Then we listed the most common phrases having two, three, four, or five consecutive words, and their frequencies. Some of the differences between normal language and scam language were subtle, but others jump out at you. For example, consider the phrase “reply urgently.” In a large sample of reported scams from 2005, about one out of every 200 messages contained that phrase, whereas an astounding one in 18 contained the phrase “plane crash.” Both of these phrases are much less common in legitimate messages.
But wouldn’t such a filter have a high error rate? After all, people send perfectly legitimate messages containing the words “plane crash” all the time. Indeed, the error rate would be high if our algorithm looked at only that one phrase. Finding a single phrase that’s much more common in scam messages than in regular language is only indicative of a scam. But when an email contains a set of phrases that often occur together in fraudulent emails but very rarely in normal language—such as “introduce myself,” “airplane crash” and “large sum”—then you can be confident that the message is bogus.
Let’s now consider who the sender is—or appears to be. One way scammers try to win the trust of the victim is by pretending to be a trusted source—one method of which is email spoofing. This trick was supposed to have been ended by an Internet-level convention known as Domain-based Message Authentication, Reporting and Conformance (DMARC). But DMARC hasn’t been fully implemented. Some organizations haven’t supported it yet, whether for cost reasons or because of the training required to deploy it. Some countries, such as France, Germany, Italy, and Japan show only 35 percent to 40 percent DMARC coverage. And scammers continue to set up mail servers that insert fake sender information into emails.
To catch them, we home in on the weak spot of such spoofing: the reply-to address. Scammers need it to ensure that the victim’s response goes to them rather than the apparent sender. Our algorithm looks for such addresses, particularly those that the sender hasn’t used before. When accompanied by high-risk content, those are a common giveaway of malicious intent.
The most common trick of all is to register accounts or domains that look similar to those of someone or some brand that the victim trusts. Suppose that scammers want to deceive somebody in organization X and that organization’s bookkeeper is a company with the domain name preciseaccountingservices.com. The chief financial officer at X is used to receiving emails from Robert@preciseaccountingservices.com, as the scammers discover. The scammers then register a deceptive domain—preciseaccontingservices.com (which is missing a u)—and send an email to the CFO from Robert@preciseaccontingservices.com, instructing him how to make this year’s tax payments…or they may simply send an invoice. Our tools spot such email accounts that merely look like trusted accounts by examining the domain names with the precision that only a computer can maintain. This sneaky case isn’t addressed by DMARC, and it’s used in roughly 70 percent of all BEC scams.
Once trained, detectors of this kind process messages in real time. If an email triggers one of these detectors, the email is blocked, quarantined, or marked with a warning. Moreover, a filter that does not activate upon finding such an email will be automatically retrained so that it doesn’t make the same mistake again. This way, each new scam detection improves the accuracy of the system.
A conventional spam filter effectively blocks no targeted scam emails at all. Our filter blocks almost all of them. Over time, the filter-to-filter learning system we’ve incorporated promises to let us block still more bogus email without quarantining innocent messages.
Email was the first killer app of the Internet. Then spammers and scammers degraded it to the point where some people began to deliberately avoid it. The future, though, need not be so bleak. Consider this astounding fact: Spam rates fell [pdf] in 2015 for the first time in a decade. In 2016, more major mail service providers are expected to enforce DMARC recommendations so that only emails signed by their sending domains get delivered. Commercial services continue to add URLs of known scammers to their “block” lists. Awareness of scams is growing. These efforts in combination with the techniques we’ve described here should rein in the scam problem over the next five years.
Of course, the enemy won’t be idle. Scammers will concoct new scams, and they will move from email to other channels, such as texting or SMS. Every time a new medium of communication has ever been introduced, criminals have moved to exploit it. Fortunately, many defenses for email security are adaptable to those other channels.
This article appears in the May 2016 print issue as “Could You Fall for a Scam?”
About the Authors
Markus Jakobsson taught computer security at Indiana University, where he and his students studied how to combat targeted email attacks. Later, he founded ZapFraud, a company that automates the process. William Leddy is the company’s chief architect.