The perpetual risk of phishing holds the #1 spot for another year in total losses suffered – data from Abnormal Security’s H1 2022 Email Threat Report showed BEC attacks increased by a considerable 84% over the previous six months.

While that’s still relatively low-volume compared to other types of scams (less than one per 1,000 mailboxes), BEC attacks caused almost £1.9 billion in losses last year alone. So, while they’re not as common, they can be expensive. More than ever, the techniques attackers are using to leverage the human behind the mailbox to do what they wish is becoming harder and harder to detect.

Recently, Abnormal Security identified a new BEC group leveraging blind third-party impersonation tactics to swindle companies around the world. The group, which they call Crimson Kingsnake, impersonates real solicitors, law firms, and debt recovery services to deceive accounting professionals into quickly paying fake invoices.

They’ve observed Crimson Kingsnake target companies throughout the United States, Europe, the Middle East, and Australia. Like most BEC groups, the group is industry-agnostic, meaning they don’t explicitly target companies in certain sectors. Intelligence collected from some of the active defence engagements we’ve conducted with the group indicates that at least some of the actors associated with Crimson Kingsnake may be located in the United Kingdom.

Unlike other forms of financial supply chain compromise, blind third-party impersonation attacks have no direct insight into vendor-customer relationships or financial transactions and instead rely on the effectiveness of pure social engineering to be successful. Scammers behind blind impersonation attacks are relying on the hope that, like so many other types of social engineering attacks, a target isn’t paying close attention to the email and simply complies with the request.

For example, scammers often prepare authentic-looking invoices with their bank account information and real company details for the organisation they’re impersonating. They even create fake email chains with the names and addresses of their victim’s colleagues, making the request look and feel legitimate.

To add legitimacy to their communications, Crimson Kingsnake uses email addresses hosted on domains closely resembling a firm’s real domain. The display name of the sender is set to the attorney that is being impersonated and the email signature contains the firm’s actual company address. Since March 2022, we’ve identified 92 domains linked to Crimson Kingsnake that have mimicked the domains of 19 law firms and debt collection agencies in the United States, the United Kingdom, and Australia. Many of the firms referenced in Crimson Kingsnake attacks are major, multinational practices with a global footprint.

The NCSC continue to put out guidance for how firms can protect themselves more comprehensively via email, but there remains a lack of formal prescriptive technology recommendations. At Saepio, we’re seeing a trend towards firms that have very security centric email requirements benefitting from an API approach, augmenting M365 or Google Workspace. At a time when clients are looking to gain full value from their existing investments, this approach can be a life saver to make investments go further.

Recognising some of the risks and challenges in this? We’re experts at helping find the right solution to your email challenges and will be happy to help if it’s needed.