The golden rule of email security is this: If you get an email from someone you don’t recognize, don’t open it. Employees are pretty good at following this rule and keeping an eye out for suspicious hyperlinks and email attachments, ridiculous promotions, and typos. But will they ever get wise to a fraudulent email that appears to come from a manager, business partner or even the CEO?
In this week’s installment of our cybersecurity forecast, we look at the Business Email Compromise (BEC) attack, a simple, yet effective assault on your company that is sure to remain a threat in 2017.
An attractive cybercrime
BEC, also known as “CEO fraud” or the “Man-in-the-Email” attack, is a scam where fraudsters craft emails impersonating high-level executives to trick employees into transferring large sums of money or disclosing sensitive information to nefarious operators. The attack requires almost zero programming knowledge. Perpetrators need only a fair amount of research on their target to create a convincing lie -- and even that is as straightforward as a few search engine queries and some social media stalking.
But what’s truly alarming about these attacks is how much damage they can inflict on business bank accounts. The average payout for a successful BEC attack is $140,000, whereas a sophisticated ransomware attack could extort only around $30,000. Reports from Trend Micro also indicate that email fraudsters are able to net upwards of $75 million in just six months.
Worse still, BEC scams are usually executed by international criminal groups, which makes it difficult for cybercrime enforcement agencies to identify and prosecute email fraudsters. In fact, it took Interpol over two years to apprehend a Nigerian national who committed over $60 million in email scams.
All in all, the simplicity, coupled with the huge payout of these low-risk scams, will make CEO fraud a popular attack vector for both hi-tech and non-technical cybercriminals.
Prevention
Unlike traditional phishing scams, BEC attacks are much harder to detect. These emails don’t contain malicious file extensions, nor do they use URLs that redirect would-be victims to illegitimate websites. Businesses should still be able to block abnormal messages by using holistic anti-spam and web gateway solutions, but it’s often human error that leads to BEC infiltration.
Both executive and front-line staff should be trained to spot BEC attacks via security training seminars that discuss the tell-tale signs of a BEC attack such as:
- Spoofed email addresses, using a similar -- but misspelled -- company email domain (e.g., user@ggmail.com)
- Out-of-the-ordinary wire transfer requests from executives and vendors
- Emails that urge the target to wire the money as soon as possible
Of course, scammers will likely mix up their strategies to throw businesses off guard. That’s why companies must set stringent policies regarding wire transfers, which include detailed verification procedures and limits on larger transactions.
No matter the size or industry, all businesses are viable targets for email scams. With a strong combination of security protocols, policies, training, and of course, support from security professionals, companies will be able to avoid more than just CEO fraud.
To protect your business against email scams, ransomware, and denial-of-service attacks, visit www.intelligis.com, a trusted IT services provider in Atlanta.
Unfortunately, BEC isn’t the only attack focused on stealing your hard-earned cash. Stay tuned next week to find out about how business process compromise (BPC) threats can affect your organization.
