How to detect and protect yourself from Business Email Compromise
11 October 2017
Who sits on the cybercrime throne?
By now, we’re all aware of Ransomware and the damage it can cause to a business. It’s been the scourge of many an organisation over the last 24 months or so, and no business, regardless of size, is excluded from its reach. In terms of email-borne cyber threats, it’s king, or so many people believe…
Ransomware is a cash cow for cybercriminals. In 2016, ransomware exploits took in around $1BN1. Despite gathering attention in the security world, it’s by no means the most profitable form of attack. There’s a possible usurper for the throne: a lower-profile but potentially more devastating form of cyberattack that utilises phishing techniques, rather than encryption as seen in a Ransomware attack. What’s more, it’s estimated that this malicious form of cybercrime brought in $1.7BN in 2016, almost double the takings of Ransomware2. Its name? Business Email Compromise.
BEC: The beast with many names
Business Email Compromise (BEC) has many deviations and names, including CEO fraud, whale phishing, and imposter email. Regardless of what it’s named, BEC always comes down to the same thing: successfully deceiving the victim into thinking that an email has been received from a key business stakeholder, and fulfilling a request outlined in the email. This normally boils down to either sending sensitive personal data to the imposter, or wiring a large amount of cash to a requested bank account.
Business email compromise is a prime example of phishing at its best. Cybercriminals utilising BEC techniques often “groom” their victim over an extended period of time by sending a number of spear phishing emails. Gradually, a rapport can be built up, strengthened further by utilising readily available information online and on social media sites. When the fraudster then sends the email requesting for an exchange of information, the victim is more likely to comply with the illicit request, at great cost!
How can you detect and protect yourself from Business Email Compromise?
The most successful of these fraudsters aren’t amateurs. They’re wily, master deceivers who have a knack for duping even the most experienced employees. Their targets are chosen intelligently, and according to FBI analysts, may spend months studying a business’s systems, stakeholder email styles, and even travel schedules.
Although BEC scams are often supported by malware injections that allow a business network to be compromised, this isn’t always the case. It’s social engineering that’s key to BEC being successful, so it’s vital that employees are aware of the threat. Ensuring your employees can spot the tell-tale signs of BEC and similar styles of attack is a vital aspect of a business security scheme, yet is one that is often overlooked. At Prodec Networks, we call it being #clickclever, and it’s something we’ve talked about again, and again, and again.
How can you ensure your employees are #clickclever?
Awareness of cyber threats is key. Cybersecurity isn’t an IT issue, it’s a company issue, and anybody can be the weak link. Raising awareness and highlighting the damage that attacks such as BEC and Ransomware can cause to businesses will innately raise suspicion levels when employees use email. Thinking twice before clicking on a link can be the make or break point when it comes to deciding if a cyber-attack is successful or not.
The best way of protecting yourself from BEC is by asking the question – “is it really you sending this email?”. Regardless of grooming and social engineering, employees should have built up an understanding of the types of requests a C-level employee would ask for. There’s no harm in double checking if this is a real request. If in any doubt, ask the question. It might save a lot of trouble down the line!
Beat phishing with phishing
A great way of raising awareness of threats of this nature is by sending simulated “phishing attacks” to your own employees – after all, there’s no better way of learning than seeing it first-hand. Sending users real-life examples of cyber attacks and following up with training and awareness programs can mitigate the threat of phishing, greatly protecting your data and even money from loss or theft.
The greatest cybersecurity systems are only as strong as their weakest link. For many organisations, the weakest link is an untrained employee, unaware that they could be a stooge in a grand cyber-heist until it’s too late. Cybersecurity solutions must operate successfully alongside employee security awareness and training to ensure the most success.
1 Cisco 2017 Midyear Cybersecurity report
2 CSO Online "Ransomware took in 1 billion dollars in 2016"