Monthly Archives: August 2021

Phishing costs have tripled since 2015

Ponemon Institute is pleased to present the results of The 2021 Cost of Phishing Study sponsored by Proofpoint. Initially conducted in 2015, the purpose of this research is to understand the risk and financial consequences of phishing. For the first time in this year’s study we look at the threats and costs created by business email compromise (BEC), identity credentialing and ransomware in the workplace.

The key takeaway from this research is that the costs have increased significantly since 2015. Moreover, with the difficulty many organizations have in securing a growing remote workforce due to COVID-19, successful phishing attacks are expected to increase.

We surveyed 591 IT and IT security practitioners in organizations in the United States. Forty-four percent of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The following findings reveal that phishing attacks are having a significant impact on organizations not only because of the financial consequences but also because these attacks increase the likelihood of a data breach, decrease employee productivity and increase the likelihood of a business disruption.

The cost of phishing more than tripled since 2015. The average annual cost of phishing has increased from $3.8 million in 2015 to $14.8 million in 2021.The most time-consuming tasks to resolve attacks are the cleaning and fixing of infected systems and conducting forensic investigations. Documentation and planning represent the least time-consuming tasks.

Loss of employee productivity represents a significant component of the cost of phishing. Employee productivity losses are among the costliest to organizations and have increased significantly from an average of $1.8 million in 2015 to $3.2 million in 2021. Employees are spending more time dealing with the consequences of phishing scams. We estimate the productivity losses based on hours spent each year by employees/users viewing and possibly responding to phishing emails averages 7 hours annually, an increase from 4 hours in 2015.

The cost of resolving malware infections has doubled total cost of phishing. The average total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098. Costs due to the inability to contain malware have more than doubled from an average of $3.1 million to $5.3 million.

Credential compromises increased dramatically. As a result, organizations are spending more to respond to these attacks. The average cost to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021. Organizations are experiencing an average of 5.3 compromises over the past 12-month period.

Credential compromises not contained have more than doubled. The average total cost of credential compromised not contained is $2.1 million and has increased significantly from $1 million in 2015.

BEC is a security exploit in which the attacker targets employees who have access to an organization’s funds or data. The average total cost of BEC’s exploits was $5.96 million (see Table 1a). Based on the findings, the extrapolated average maximum loss resulting from a BEC attack is $8.12 million. The average total amount paid to BEC attackers was $1.17 million.

What is the cost of business disruption due to ransomware? Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files. The average total cost of ransomware last year was $5.66 million, and the average percentage rate of ransomware attacks from phishing was 17.6 percent.

Employee training and awareness programs on the prevention of phishing attacks can reduce costs. Phishing attacks are costing organizations millions of dollars. According to the research, the average annual cost of phishing scams is $14.8 million, an increase from $3.8 million in 2015.

Respondents were asked to estimate what percentage of phishing costs that could be reduced through training and awareness programs that specifically address the risks of phishing attacks targeting the workforce.  The cost can be reduced by an average of more than half (53 percent) if training is conducted.

Part 2. Key findings

Loss of employee productivity represents a significant component of the cost of phishing.
The average annual cost of phishing has increased from $3.8 million in FY2015 to $14.83 million in 2021. As shown, productivity losses have increased significantly from $1.8 million in 2015 to $3.2 million in FY2021. Please note that information about BEC and ransomware was not available in FY2015. In the current study, we estimate an annual cost of phishing for BEC at $5.97 million and ransomware at $996 thousand.

Employees are spending more time dealing with the consequences of phishing scams. The range of hours is less than 1 to more than 25 hours per employee each year. We estimate the productivity losses based on hours spent each year by employees/users viewing and possibly responding to phishing emails. As shown, each employee wastes an average of 7 hours annually due to phishing scams, an increase from 4 hours in 2015.

As discussed, the costliest consequence of a successful phishing attack is employees’ diminished productivity. Here we assume an average-sized organization with a headcount of 9,567 individuals with user access to corporate email systems.  Based on an average of 7 hours per employee we calculate 65,343 hours wasted because of phishing.  Assuming an average labor rate of $49.5 for non-IT employees (users) we calculate a total productivity loss of $3.2 million annually, an increase from $1.8 million in 2015.

An average of 15 percent of an organization’s malware infections are caused by phishing scams. Respondents were asked to estimate the percentage of malware infections caused by phishing scams. The estimated range is less than 1 percent to more than 50 percent. The extrapolated average rate is 15 percent. As discussed above, the cost to contain malware is estimated to be $353,582 (see Table 1).

The likelihood of a malware attack causing a material data breach due to data exfiltration has increased since 2015. In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. The probability distribution ranged from less than .1 percent to more than 5 percent. The extrapolated average likelihood of occurrence is 2.3 percent over a 12-month period, an increase from 1.9 percent.

The total cost attributable to malware attacks caused by phishing scams more than doubles. The total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098 in 2015.

Phishing costs due to the inability to contain malware have more than doubled and represents 11 percent of the total cost of phishing.  Malware not contained is malware at the device level that has evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. Following are two attacks caused by an active malware attack that are difficult to contain: (1) data exfiltration (a.k.a. material data breach) and (2) business disruptions. The total cost of malware not contained has increased from $3.1 million to $5.3 million.

A malware attack resulting in a data breach due to data exfiltration could cost an organization an average of $137.2 million. The following formula is used to determine the probable maximum loss (PML) and the likelihood of such an attack:

What is the cost of business disruption due to a malware attack? Respondents were asked to estimate the PML resulting from business disruptions caused by a malware attack. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The distribution of maximum losses ranges from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $117.3 million, an increase from $66.3 million.

How likely are business disruptions caused by a malware attack will affect your organization? Respondents were asked to estimate the likelihood of material business disruptions caused by malware. The probability distribution ranges from less than .1 percent to more than 5 percent. The extrapolated average likelihood of occurrence is 2.1 percent over a 12-month period, an increase from 1.6 percent in 2015.

Visit Proofpoint’s website to download the entire 2021 Cost of Phishing Report

Hear how an FBI agent conned a con artist; got him to fly to the US for prosecution

Bob Sullivan

How do you catch Internet con artists? Well, you con them.

Alan, who lives near Washington D.C., had traveled to Dubai and to Ghana thinking he was helping a princess gain access to her multi-million dollar inheritance.  Before his fever was broken, Alan — not his real name — sent about $600,000 to a man named Eric and a woman who called herself “Precious.”  By the time the FBI got involved, it was too late for Alan’s money.  But Alan did have a photograph of the two criminals, taken in Dubai.  When a rookie FBI agent named Mike saw that, he decided there might be just enough evidence to pursue the criminals through cyberspace.

He had one big problem, however. Agent Mike — we’re protecting his identity — couldn’t fly to Dubai or Ghana and arrest them. He had to get them to fly, willingly, to the U.S.

You don’t often get to hear an FBI agent talk about chasing after online criminals. And rarely do stories involving $600,000 sent overseas to criminals have a happy ending. But in this recent episode of The Perfect Scam, I pull back the curtain on a remarkable piece of crime-fighting and a relentless pursuit by one very determined agent.

Listen to this episode by clicking here, or by clicking the play button below.  Below that, a partial transcript appears. It’s a two-part episode. You can hear part 2 at this link, or hit the second play button below.

———-PARTIAL TRANSCRIPT—————-

 

FROM PART 1

[00:06:25] Mike: Yeah, it’s almost heartbreaking, because when you read the transcripts, you can see how the victim actually thinks it’s real. I mean he’s actually saying things like, “Well when can I meet you,” or “Can you send me more pictures?” The scammer usually almost always just returns to, “Oh I love you so much,” et cetera, et cetera, you know, “How are you?” that kind of thing. And it’s just so one-sided in terms of the victim is like actually trying to have a relationship, but the scammers are just uh clearly have an agenda on their mind. And then uh, it will, you know, usually transition then to, “Oh, hey something terrible just happened. My mother just got into a car accident,” “We’re overseas for the moment,” or “My, my dad’s uh late on his rent,” or “I’m late on my rent,” or something like that. “Can you just send me, MoneyGram me uh, 500 bucks, ” or something like that.

[00:07:13] Bob: But those smaller asks are just the beginning of the crime. Soon, Precious starts to tell a much bigger story to Alan.

[00:07:21] Mike: One thing that happened, which I’ve come to realize this might be a common thing for scammers from Ghana, is that the uh the women, in this case, Precious, eventually will let the victim know that, “I am actually an African princess, I’ve actually inherited millions of dollars’ worth of gold, it’s back overseas in Ghana, and here’s my lawyer,” you know. In, in this case Precious had a lawyer named Eric, and other, other scammers will introduce other like a, they’ll, they’ll almost always introduce a second player, um, like a second figure. And then the lawyer will come in, in this case, Eric, with a very formal sounding, uh you know, email signature block and very formal sounding, uh, language and write, you know, big, long paragraphs, with very lawyerly sounding text to say, “I understand, Alan, that you’re here to help Precious. Uh, that’s a great thing that you’re doing. And in order to have her, you know, receive her inheritance of millions of dollars which will help her and her family, you need to start paying,” you know, this and that for legal documents, for shipping fees, et cetera, et cetera.

[00:08:40] Bob: So far, this looks like a crime that FBI agents unfortunately see pretty often, but as Mike keeps reading, he confirms one of his chief suspicions. That trip to Dubai and Ghana, that means the crime went a whole lot farther.

[00:08:55] Mike: Eventually, I think the reason to get Alan on a plane was so that he could meet the supposed lawyer, Eric, in Dubai so that they could sign some legal documents towards the uh, the release of the gold.

[00:09:08] Bob: And what did he actually sign when he got to Dubai?

[00:09:11] Mike: It was just, you know, something that you could drum up on Microsoft Word in 10 minutes.

[00:09:16] Bob: So this, this was still all just a, a movie scene that they were playing out for him. Um, well did you see the part of the discussion where he said, yes, I’ll, I’ll fly, I’ll get on an airplane? I mean, that must be amazing to see in black and white.

[00:09:30] Mike: Yep, we saw that. I think it must have been several months into their, the scam where he actually got onto the plane, if I recall correctly. But uh yep, they met in Dubai. That was actually one of the reasons why I decided that we could probably take on this case, because he had actually gone overseas, and he actually met these people in person, at least Alan could pick them out from a lineup, for example.

[00:09:55] Bob: He could pick Precious and Eric out of a lineup, if ever there were a way to get them into a lineup. But maybe even more important, there’s pictures.

[00:10:06] Mike: Yeah, so they meet in Dubai. It’s Eric and Precious. It’s uh, an African man and a Caucasian woman claiming to be Eric and Precious, and they have Alan pay for the hotel, they have Alan pay for the meals, everything. In fact, I think there’s this picture of Alan with uh, Eric and Precious in like, it looks like a Chili’s or something in the Dubai airport. It was one of the first times that we actually saw the scammers for real when, uh Alan shared that picture with us.

[00:10:34] Bob: Okay, yeah. Now before we go on, you have a picture of them at, of the three of them at a, at a Chili’s in Dubai?

[00:10:40] Mike: I, I don’t know what restaurant it is, but it looked like, you know, uh there’s, there’s a few more pictures of them at the uh, the Dubai airport, so you know, it’s just pretty good uh proof that corroborates the story.

[00:10:53] Bob: That’s, I’m almost, I’m kind of amazed that they were brazen enough to pose for a picture like that.

[00:10:58] Mike: You know, it’s um, sometimes I think about that, too. So I think from the perspective of a scammer, it’s really a risk/reward calculation they have to make because uh, when you’re trying to scam these folks, if you, you know, obviously, you know, it’s a romance scam, so your victim wants to meet you because you guys are supposed to be in love. So if you never meet with the victim, obviously they will start to get suspicious after a while. And there’s only so much that you can keep the victim on the hook for, there’s only so, so much money you can squeeze out of them. However, if you take the risk and you actually meet with the victim, and you have the uh, I guess the props to show that this is actually a true story, then you’ve got the victim hooked for even more, right. Now he knows it’s real.

(MUSIC SEGUE)

[00:11:43] Bob: Mike says the three of them looked pretty jolly in the photos, like they’re on vacation together.

[00:11:48] Mike: Eric and Alan, just kind of posing, big smiles somewhere, it must have been somewhere in Dubai, if I recall correctly. And then, when we saw pictures of Precious, she was indeed a Caucasian young woman. She must, she must have been in her mid–, she looked like she was in her mid-20s. Eric looked like he was a bit older, probably in his 40s, but you know, the pictures that Precious had been sending to Alan via Skype were, you know, pictures of just gorgeous women that you find on the internet, right, and it was pretty clear that the Precious in real life was not the same.

[00:12:26] Bob: Eventually, the group gets down to business. But they don’t stay in Dubai very long.

[00:12:31] Mike: After signing these documents for the uh, supposed gold, Eric kind of suddenly proposes to Alan, “Hey why don’t I take you to Ghana so that you could actually see the gold for yourself, and so that you can actually see all of Precious’s inheritance, so that you know it’s real.” And then um, the real reason that Eric’s doing this is because he wants to get Alan on some more scams that he has waiting for him back in Ghana. From there, Precious actually goes back to her home country; we found out later that was Ukraine. Eric, I think he just takes Alan’s credit cards, and he just buys tickets for them to go from Dubai to Ghana.

[00:13:08] Bob: And when they get to Ghana, Eric puts on quite a show for Alan.

[00:13:12] Mike: Pretty shortly after they landed, Eric takes Alan to what sounds like some sort of compound or some sort of building that he has, and inside is what Alan described as some sort of safety deposit box. Unfortunately, there was no pictures uh really from, that describe this, so I don’t, we don’t really have a good visual on it, but it looked pretty official. Uh, Alan, you know, Alan described that there was like a bank guard there, and there were some other folks there, and so, you know, Eric does the whole “bring forth the gold” kind of thing. Alan describes um, the guards bringing over I guess a chest of, you know, gold bars, and uh Alan picked one up, and, and he said it sure felt like they were pretty heavy, so it must be gold.

[00:14:05] Bob: Wow, and but to Alan’s estimation, it was maybe millions of dollars’ worth of gold?

[00:14:10] Mike: Yeah, that’s what Eric was claiming the whole time. That was part of the story, so…

[00:14:14] Bob: Of course, Eric has another reason to bring Alan to Ghana. He wants to introduce Alan to another criminal with another elaborate story.

[00:14:23] Mike: Eric kind of uses this opportunity to, to introduce a, another scam. It’s another scam that we’ve heard of before, it’s sometimes you call it like, uh I’ve heard it referred to as like a kind of a washing the money scam, or the black money scam. There’s different variations of it, but really what it amounts to is a magic trick that is really impressive in the moment and really uh hooks your victim. And what Eric does is he says, okay, great, now you’ve seen Precious’s gold. I’d like to introduce you to another person. This person here is Daniel. Daniel’s about 18 years old. You know, he’s also some sort of African nobility. And Daniel’s there, and he’s smiling and he’s, you know, playing the part of a, a poor 18-year-old kid, and Eric’s just trying to help him out too, just the way like he’s trying to help out Precious. And Daniel has inherited a large quantity of, of sheets, uh, you know, just like you’ve seen those sheets that are uncut at the Treasury Department. But these sheets are worthless unless you start cutting them, and once you cut them all, then they’ll be worth millions, but uh, the way to cut them is, you can’t just use scissors. You need a chemical that only, Frank, the other character, he uses introduces guy, Frank. Frank was kind enough to bring it, so let me show you how it works. Puts the chemicals in a bowl, pours water over it, mixes it all up, and then he dips one of these sheets into the bowl, and you know, before Alan’s eyes, the sheets separate into the separate individual $100 bills. So, just like that, we made 400 bucks. And so Eric says, you know, it’s as simple as that, so if we want to start getting Daniel’s uh money, then we need to start paying money for the rest of the chemicals from Frank.

—-FROM PART 2—–

[00:04:24] Mike: Plan C was, you know with Alan’s permission, and also his wife, too, we, we kept the wife in the loop the entire time. I didn’t want her to feel like she was being excluded, but I asked them if they’d be willing to, you know, take some pictures of Alan in the hospital undergoing, well, post, uh, his medical procedures, and to go back to Eric and Precious and say, “Hey, you know, my health is really declining. I really want to help you, Precious, so uh, here’s proof that I can’t go overseas and see you. Why don’t you guys come over here, and we can do things like, I’ll put you in my will,” and so Precious will have, you know, $10,000 a month in perpetuity or something like that, or, or uh, I got a, another, another ruse that we started coming up with was, we had Alan say, “I’ve got a really rich businessman man and he’s really looking to invest in uh, in Africa, you know, and Africa’s the next place to invest in, especially with uh, raw minerals, and you, you seem to know a lot about gold, so yeah, this, yeah this rich businessman wants to meet you. He wants to talk about gold.” So we kind of started coming up with stories to uh, you know, scam Eric and Precious and Daniel with.

[00:05:40] Bob: It strikes me that it’s a good thing you work for the FBI. Otherwise you’d have another career that might not be as wholesome.

[00:05:46] Mike: Oh, (laugh). Well, sometimes you’ve got to think like scammers to catch them, so.

[00:05:52] Bob: Mike has to really work to open the door to the US for Precious and Eric. One of the most important steps, getting the State Department to issue a visa.

[00:06:01] Mike: We were kind of playing multiple stories at the same time, and I think the pictures of Alan, uh, you know, in the hospital, they were effective, but what was even more effective was we were telling Alan to ask Eric like, “Hey look, go to the Embassy in Ghana, apply for a visa, just get that process started,” and then I actually started kind of going behind the scenes, and I started, uh, talking to some reps at the State Department to say, like, hey look, we’re going to, we’re trying to set this up now, you know. This person, Eric, which I, you know, by that time we had kind of identified who Eric really was, he’s a criminal, he’s a, he’s a subject of an investigation, there’s an active FBI investigation on him. Here’s what, here’s kind of what’s going on. Basically I said, “I need you to give him a visa.”

(MUSIC SEGUE)

[00:06:51] Bob: Meanwhile, Mike is coaching Alan on what to say to Eric and Precious. They lay it on pretty thick.

[00:06:57] Mike: We had Alan say, “Hey, you got your visa, because my friend, my rich friend pulled some strings with the government.” That was the story that we were spinning towards him, and then we were saying, “Okay, well now my rich friend really wants to talk to you about gold, so he’s going to buy you a plane ticket.”

[00:07:11] Bob: Even after Mike gets the State Department to play along, there are still a whole lot of steps before Eric and Precious might actually get on a plane and land in a US airport where they can be apprehended. Would Eric even show up for his visa appointment? What if he got cold feet right before boarding the plane? You’d think Mike might be worried by these things, but he says he wasn’t.

[00:07:32] Mike: You know, it wasn’t really so much nervousness, I think, uh, just the way that we think here, we always have plan A, plan B, plan C, so this plan that we were setting forth, even though it was plan C, which is now plan A, we still had backup plans, you know, in place, so I knew that if Eric never really came here, or if uh, he never followed up on his visa appointment. We had other ways, you know, it’s just, you know at the FBI we just, we, time is on our side. So something would have come eventually. Like, for example, the UAE would have told us who these people really were. And so we could have, you know, these investigations drag on for a while, and eventually something would have broken, so I wasn’t um, part of me was like, there’s no way he’s actually going to do this. But even, and even if he didn’t, that would be okay, because this investigation will still be going forward.

[00:08:22] Bob: But, to the surprise of many agents involved, the plan works. Eric gets his visa and gets on a plane headed for Dulles Airport outside Washington DC.

[00:08:33] Bob: So it worked, okay. Are, are you there at the airport when they arrive?

[00:08:36] Mike: Yep, yes, it’s myself and a few more agents, and uh, um, you know we kind of confirmed with the Department of Homeland Security that he did indeed board the flight. We actually bought his plane ticket for him. And so we knew exactly when he was arriving. As he’s going through the immigration queues, one of the uh customs and border protection officers was with us, had kind of taken us behind the scenes at the airport. We saw him just going through. I think he had like a blue suit on, and uh, he had like one of those neck pillows. He looked very tired, obviously. We kind of pulled him out of the queue. We told him to sit in a, a place that’s called secondary inspection, uh with CBP at the airport. We just kind of looked at his uh travel documents again, just to confirm that he really was the person we were looking for, and we kind of went to him, kind of broke the bad news.

[00:09:34] Bob: What was the, the expression on his face when you did that?

[00:09:36] Mike: I think he was very tired. He was very jetlagged. He was very like, uh just absolute resignation. No fight, no denial, just okay, sure. Take me.