A standard phishing scam has evolved into Business Email Compromise (BEC) attacks. Learn the new ways hackers are out to get your data and how your business can fight back.
Phishing attacks are no longer always the cut and paste, email blitz affairs of the past. Now, cybercriminals have started to target specific individuals by initiating carefully crafted fake content designed to gain access to anything from company funds to employee tax data.
A 2018 public service announcement from the FBI revealed that Business Email Compromise (BEC) attacks had soared by 136 percent from 2016 to 2018 and affected all 50 states. Globally, BECs have struck in 150 countries and cost more than $12.5 billion. These huge losses are due in part to the often-high profile/financially influential status of BEC victims.
How hackers use BECs
Criminals are targeting CEOs or other key personnel, including those with accounting clearance to access payroll or wire data. To do this, BECs have gone beyond the older style of phishing attacks where a single message was mass-produced and sent to many people in the hope that a few would be fooled. BECs are target-focused, making highly specific social engineering an increasingly used tool in the hacker’s arsenal.
Social engineering is a triple threat to potential victims. First, hackers conduct deep research on an individual via their social media profiles, business profiles, and other online trails to decide whether they’re a suitably influential target who, if manipulated, could help the hackers achieve their goals.
The second stage is the creation of a fake account (or the hijacking of a legitimate one) to contact the target and create a line of communication. This results in either a gradual building of trust to gain further sensitive information or creates a false sense of urgency to get the target to comply with requests for data which will then be exploited.
Why beating BECs means patching people
The third aspect of a BEC attack is the most difficult to guard against because it relies on avoiding human error. In today’s hyper-social online space, it’s all too easy for a target to start talking to someone under the guise of business matters, shared interests, or friendship—especially if the hacker is presenting themselves as a legitimate business or even a member of the target’s own company.
The general public may know a few cybersecurity basics, such as not clicking on email links without verifying them first. But BECs circumvent this by rarely using embedded links, which helps them slip by email spam filters and adds another layer of fake legitimacy to lure the target.
Criminals know that “hacking” vulnerable human nature is much easier than breaking through evermore complex digital security. Businesses need to educate every team member from top to bottom on how to effectively “patch” their human vulnerabilities and accept that cyber awareness is an ongoing battle.
Companies who regularly make wire transfers or do business with overseas entities must be particularly wary of BECs, but businesses of all types and sizes should be concerned.
Even giants like Facebook and Google have fallen afoul of these attacks. A case concluded this year revealed that Google had been defrauded of $23 million and Facebook of $99 million by a criminal group posing as a hardware business claiming the two companies owed them funds.
Basic tips on how companies can protect against BECs
The social engineering that BECs rely upon can be addressed in two ways. First, companies should draw a firm line between the personal and the professional by ensuring that company business is never discussed or conducted via personal emails or social media.
Second, proper safety etiquette for any personal social media should be followed to minimize exposure of exploitable information. This means keeping any details private that are not need-to-know for public eyes. Someone who identifies as an accounts manager on Facebook may suddenly acquire a few “friends” who are anything but, for example.
Businesses should implement multi-factor authentication on all email accounts to make it more difficult for hackers to gain control and steal identities. Any outgoing email which contains sensitive data should comply with a company security plan; at the very least, multiple parties should be involved in authorizing any such transmission.
The importance of DMARC
Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication system which works by detailed collaboration between receivers and senders of emails and cuts back on domain spoofing. DMARC provides an important fourth layer of verification after emails have been subjected to spam and Domain Keys Identified Mail and Sender Policy Framework filters, and helps users establish if the other party’s email is genuine.
Businesses can get involved via the DMARC resource site and participate in the project’s ongoing development.
CyberGuard360 can help fight BECs
We can help protect your business emails by implementing various services, including these three: security policy templates and management, awareness training for your team, and simulated phishing attacks. PG360 starts by tackling the biggest issue —employee vulnerability—and moving forward to create a security framework that educates and regularly tests your team to see that the lessons have been learned.
Our simulated attacks assess your email security in the ways that count. Employee email safety performance and much more vital information can then be accessed in an easy-to-read dashboard which alerts businesses to problem areas which need immediate attention.
We’ve built our business on education, prediction, and prevention—and we are eager to partner with you to shield your interests and give hackers a hard time. Compare our solutions with others and feel free to connect with us at the link below.
At CyberGuard 360, our clients are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, training, and disaster recovery. Call 844-315-9882 or complete our contact form.