The Federal Trade Commission has recently revealed that crypto phishing scams have grown by over 1,000% since last October according to a report from CBS News.

It has been calculated that 2020 bore witness to some 400,000 cryptocurrency scams. Hackers have been focused on the new monetary currency for some time and are estimated to have stolen some $80m in the USA alone. These attacks typically involve investment scams, digital wallet thefts and phishing attacks.The FBI has stated that crypto-related BEC scams have risen significantly in the past 24 months, with businesses having around $10m stolen during 2020.

The factors behind the massive spike in these types of attack are quite varied. They include:

  • As this is a very new type of currency, most people remain unfamiliar with the intricacies of the technology Blockchain is a neoteric frontier and the average layperson does not completely understand how it works. The knowledge gap creates a potential attack point for cybercriminals
  • The large number of currencies also assists cybercriminals with their campaigns. Currently there are more that 5,000 cryptocurrencies in existence globally. Additionally new cryptocurrencies are being created almost every day so hackers can move from one to the other as they try to find a susceptible target.
  • Third party identification documents are a major attraction for hackers in data exfiltration attacks.  These can be used to access cryptocurrency wallets using this seized personal information.
  • The associated anonymity is also an attractive element for hackers. While their supportive blockchains provide a record of the actual financial transaction, most of them do not share personal data related to transactions.  All of this makes it difficult for authorities to ascertain any sort of financial pattern concerning that can aid their investigations.  Crypto, as it turns out, is a payment paradise for cyberattack managers.

The majority of BEC attacks are expertly managed as the hackers have often thoroughly researched their targets. In a lot of cases a compromised company email system  might have been initially infiltrated as long as months before the initial attack takes place. This gives them time to learn the protocols and culture of the organization. Following this period of time the attack is normally conducted using the impersonation of a key executive such as the CEO or CFO as a tactic.  The aim is to get a lower level employee that has privileges to the company’s payment system to send funds for a stated reason such as a large business deal or company transaction.  The employee asked to complete the bank transfer to an account belonging to the hacking group. Once the funds hit the account, the bank automatically changes the money into cryptocurrency.

FBI Guideline

Along with releasing an annual update the FBI has also made public a list of specific measures that companies and individuals should adopt in order to prevent them from being a target of a BEC cryptocurrency scam.  These include:

  • Individuals are urged to constantly review bank accounts to see if there is any evidence of indiscretions and unrecognized transactions.
  • Use a multi-factor authentication (MFA) solution to augment your authentication processes. One of the best ways is to have a PIN sent through text or email for authentication.
  • Use a robust best anti-phishing protection like SpamTitan that feature double antivirus, data leak prevention, real-time blacklists (RBLs), email content filtering as well an inbuilt Bayesian auto-learning heuristics.
  • IT managers should make sure that their corporate email applications are set up to permit users to see the full email extensions of received emails.