This year, the frighteningly sophisticated scam known as Business Email Compromise (BEC) will be responsible for stealing over $9 billion dollars from businesses across the globe. Will your business be next?
There has been a significant increase in BECs in recent years. In the second quarter of 2018, email compromises have accounted for 23% of incidents reported to the Beazley Breach Response (BBR) Services team. BEC hackers impersonate high-level executives and effectively manipulate employees to hand over confidential data. Aging systems combined with untrained staff make businesses more susceptible to this particular strain of attack.
These attacks pose an undeniable threat, but there are ways to safeguard your business! Here is your guide to understanding and preventing considerable loss from BEC scams.
Examples of BECs
Hackers are always thinking of new ways to glean money or important information from businesses and they aren’t concerned with the size or nature of the company that they are targeting. Some common examples of BEC scams include:
Bogus invoicing – The fraudster typically will breach the email account of a financial department employee, find an invoice and modify the details to transfer payments to themselves. The convincing scheme can easily sneak passed the accounts payable department.
CEO fraud – The hacker pretends to be an executive (CIO, CEO) and requests that an HR or finance department employee make an emergency payment. This clever ploy can sometimes include social engineering tactics to seem more compelling. Some criminals spend time researching targeted employees on social media to gain a strong perception of their personalities. They then inject their understanding of the employees into the emails they craft.
These emails are not like the spam we are used to (littered with obvious grammatical errors and phony letterheads). These cleanly written, friendly-sounding messages appear to be from busy bosses asking for quick favours from colleagues.
Employee account compromise – Similar to bogus invoicing, this attack involves sending an invoice to partner vendors through employee accounts. This most frequently occurs in smaller businesses that have an email-based billing structure.
Attorney identity theft – An attorney or law firm’s email identity is obtained and used to demand payment to settle a fake legal dispute or overdue bill. This scam plays on the fretfulness of the targets by convincing them that this is a time-sensitive and confidential matter.
The Malicious Process of ATO Attacks
Account Takeover attacks (ATOs) are defined as: the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for financial gain or to execute a data breach.
These extremely high-risk attacks target the uppermost levels of leadership within an enterprise. They are so shrewdly performed that they are difficult to detect. E-commerce businesses and online currency services are common marks.
5-Steps to a Successful Account Takeover
Step 1: Gain account access. The fraudster will conduct a spear phishing or malware-based email attack, or purchase log in credentials on the dark web.
Step 2: Establish account control. Control can be achieved without the knowledge of the victim or security personnel.
Step 3: Internal re-con. This is the investigative process of determining the best way in which to exploit the apprehended account.
Step 4: Launch the attack. The fraudster unleashes whatever attack is deemed best suited for the account.
Step 5: Complete mission. The fraudster “exfiltrates” classified data to carry on their crime spree, or walks away with their stolen funds.
Recommended Safety Strategies
We have identified how cyber attacks occur and how they can drastically impact businesses. Now it is time to explore the ways in which businesses can defend themselves from a multitude of threats.
- Share this article with staff and communicate the risks of fraudulent emails. Make sure that employees know what scams are out there and what to look for.
- Keep systems and software up-to-date.
- Employ an intrusion detection system that can flag suspicious emails. This can be in the form of a device or software application.
- Be vigilant of email conversations where the “reply” address is different from the “from” address.
- Inspect all e-mail requests for irregular transfers. Remember, invoking a sense of urgency is a common trick used by scammers to prevent lengthy analysis. Don’t give in to the pressure that the email is trying to impose.
- Come up with a system for quickly identifying potential threats. It may be that you color-code emails from internal accounts in red and e-mails from non-external accounts in blue.
- Apply preventative measures such as two-factor authentication for all wire transfer or the implementation of the Domain Message Authentication Reporting & Conformance (DMARC) standard that validates email address domains.
There is no way to become completely immune to attacks. However, arming yourself and your staff with the right information can vastly reduce the risk of compromise. Taking time to question what comes into your inbox could potentially protect your private data. If you would like more information on how to keep your business safe, please contact our experts!