The wolf in sheep’s clothing: business email compromise & what you need to know
When an email comes from a member of your organisation’s leadership team (such as the CFO, for example) requesting certain actions be taken, would your staff question its validity or would they carry out orders due to the senior status of the sender?
If an email looks authentic—if its sender is someone important and mentions current and accurate information—employees often carry out the instructions without much question. This is one of the increasingly common ways that cyber criminals deliver malware, ransomware, and steal money directly from, even thoroughly, secure organisations.
One of the most concerning findings of our 2017 Global Threat Intelligence Report is the rise in business email compromise (BEC) attacks that have been thriving across industry. This concerning when you consider a single BEC incident results on average in a loss of approximately $67,000.
Business email compromise impacts your business in various ways:
- Financial losses – because of fraudulent wire transfers
- Loss of important information and records – tax statements, personal information
- Damage to brand and reputation
Business email compromise is targeted phishing
Often when we think about cybersecurity and cyberattacks, what springs to mind is malware-type attacks where corrupted files downloaded onto a server get behind the firewall and inflict various kinds of damage on an organisation. Another type of attack that is often used to enable the malware, or damage the organisation more directly, is phishing. This style of attack can target many people in an organisation at once; often the goal is some level of access through a kind of ‘numbers game’. A receiver is asked to click on a link in an email, which takes them to a false login page where they unknowingly hand over their login details to a hacker.
Business email compromise is a form of phishing, but a highly selective and focused form of phishing, targeting one or two specific people in an organisation directly. In a typical case, the attacker impersonates a company executive and tries to convince an employee to transfer funds or important information to them.
Understanding is the first step to reducing the problem
Email is one of the most well-known entry points for cybercriminals into an organisation, and most employees start and end their days in their inboxes. This can lead to a naive or lax attitude when it comes to safe email practice, in a way that doesn’t happen in other environments; like logging into an online bank account, for instance. So, when their inbox becomes the scene of a BEC attack, your users can get caught out.
Most of your employees will be able to recognise an email with a questionable link or attachment from an unknown source and flag it as potentially dangerous. BEC is more insidious, however. As mentioned above, a BEC attack is an email from an imposter, likely using inside information or other social engineering techniques to appear as believable as possible.
Here are some tips to avoid business email compromise:
Be conscious of your information footprint
Many members of senior management in large companies are encouraged to maintain a presence on social media. Therefore, they are often tweeting and posting updates about their activities and location, etc. This gives a prospective BEC attacker ample information to target someone in your organisation. They know who the executive is, where they are in the world, how long they will be away, the purpose of the trip, who they would likely be communicating with back in the office, etc. The attacker can personalise a BEC attempt leveraging all this information, increasing the chances of success.
Awareness starts at the top
Executives need to understand that they are attractive targets of cyberattacks. As one becomes more senior in an organisation, one’s value as a target rises. So, the C-Suite need to understand when and what not to post on their social media accounts, have a protocol, like multi-factor authentication in place for business processes like money transfer or asking for sensitive information, and keep up a regular communication with their team.
Employee education and training
It’s mainly entry-level employees that are recipients of BEC attempts and so it’s imperative that they are made fully aware of the potential risks in responding without first considering its legitimacy. Making sure they are equipped with the right level of training to detect an attempt is a good step in the right direction.
Know your enemy
The people who seek to do your organisation harm via cyberattacks are investing more than you think in targeting businesses of all sizes across every industry; they are advancing with more sophisticated threats all the time. These are highly organised operations using the latest cloud technology, which means they are light and flexible and difficult to pin down. The ‘underworld economy’ has set-up a mirror image of companies in the real world and continues to evolve their cyberthreat capacity. So, it’s more important than ever to make sure your organisation, including your executives, understand the threat levels and are prepared for the dangers.
To find out more about business email compromise, the risks, implications, and recommendations, download our 2017 report and see our latest research findings on global threat intelligence.