As a cyber security professional and you are asked about the biggest cybersecurity threats facing business, which one springs to mind first? Maybe it is relentless ransomware attacks, with cyber criminals encrypting networks and demanding vast sums for a decryption key, even from hospitals. Or maybe it is a devious malware attack, which lets hackers hide inside the network for months on end, stealing everything from usernames and passwords to bank details. To be sure, both are on the list. These are awful attacks to experience and can cause terrible damage. But there is another much simpler form of cyber-crime that makes scammers the most money by far and does not get the attention it deserves.[1]
The scale of business email compromise (BEC) attacks is clear: according to the FBI, the combined total lost to BEC attacks is $43 billion and counting, with attacks reported in at least 177 countries.
At the most basic level, the easiest scam is to find out who the boss of a company is and set up a spoofed, fake email address. From here, they send a request to an employee saying they need a financial transaction to be carried out quickly; and quietly. It is a very basic social-engineering attack and often it works. An employee keen to do as their boss demands could be quick to approve the transfer, which could be tens of thousands of dollars or more, especially if they think they will be chastised for delaying an important transaction.
In more advanced cases, the attackers will break into the email of a colleague, a boss or a client and use their actual email address to request a transfer. Not only are staff more inclined to believe something that really does come from the account of someone they know as scammers with the right malware can watch inboxes and wait for a real financial transaction to be requested. Then they send an email from the hacked account that contains their own bank details. By the time the victim realizes something is wrong, the scammers have made off with the money and are long gone.
What's most challenging about BEC attacks is that while it is a cyber-crime that is based around abusing technology, there's actually very little that technology or software can do to help stop attacks because it is really a human issue. Anti-virus software and a good email spam filter can prevent emails containing malicious links or malware from arriving in your inbox. But if a legitimate hacked account is being used to send out requests to victims using messages in emails, well….that's a problem. A problem because as far as the software is concerned, there is nothing suspicious to detect, as it is just another email from your boss or your colleague. And the money is not stolen by clicking a link or using malware to drain an account, it is transferred by the victim to an account they have been told is legitimate. No wonder it is so hard for people to realize they are making a mistake. The insurance industry calls this, ‘errors and omissions.’[2] Insurance is currently clamping down on cyber-fraud and blaming E&O as a reason to not pay a financial fraud claim.
But victim blaming is not the answer and is not going to help; if anything, it will most likely make the problem worse. What is important in the prevention of BEC attacks is ensuring that people understand what these attacks are and to have processes in place that can prevent money being transferred. In proper training, it should be explained that it is very unlikely that your boss will email you out of the blue asking for a very urgent transfer to be made with no questions asked. And if you do have concerns, ask a colleague or even better, talk directly to your boss to ask if the request is legitimate or not. It might seem counterintuitive, but it is always better to be safe than sorry.
Businesses should also have procedures in place around financial transactions, particularly large ones. Should a single employee be able to authorize a business transaction valued at tens of thousands of dollars? Probably not. It is not good security procedure. Businesses should ensure multiple people have to approve this type financial process. It is true this might mean transferring finances will take a little longer, but it will help ensure that money is not being sent to criminals. That business deal can wait a few more minutes. Technology can help to a certain extent, but the reality is these attacks exploit human nature.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.zdnet.com/article/your-biggest-cyber-crime-threat-has-almost-nothing-to-do-with-technology/
[2] “Errors and omissions” refers to a type of liability insurance. Errors and omissions insurance, also termed “E&O insurance,” provides policy-holding professionals with coverage against damage suffered as a result of the professional's errors and omissions in rendering professional services.
Comments