Over the last two years, the Internet Crime Complaint Center (IC3) has seen a 2,370% increase in actual and attempted Business E-Mail Compromise (BEC) losses, affecting businesses in all 50 states. Since October 2013, those losses total well over $5 billion.¹ You might think fraudulent e-mail activity is an IT problem, but really it’s an organization-wide issue. In order to help prevent breaches, it is imperative to educate and train every employee how to identify a fraudulent e-mail.
Understand the Threat
In the context of information security, social engineering is the art of manipulating employees into providing confidential information or performing acts that could be harmful to the company. Social engineers (cybercriminals) have an arsenal of strategies to gather information, launch attacks and con victims through various e-mail schemes.
Phishing / Spear Phishing
Phishing is a common computer fraud technique that begins when a cybercriminal sends an e-mail making a claim that is designed to trick the recipient into providing personal information (such as a username and password). Regular phishing attacks use a “shotgun” approach by sending one, generic e-mail to hundreds or thousands of potential victims. Spear phishing, on the other hand, uses a targeted approach aimed at specific individuals or organizations and relies on the use of personal information to make the e-mails appear more convincing and trustworthy.
BEC is a sophisticated attack that targets businesses of all types, but especially those that perform wire transfers. BEC can take a variety of forms, but most often begins with a fraudulent e-mail to employees with access to company finances. These cyber attacks focus on tricking employees into transferring funds or valuable private information directly to the cybercriminal.
These methods can look sophisticated and convincing. However, there are some telltale signs you can look for to identify potential threats and prevent attacks.
Stay Cautious. Be Proactive.
How many e-mails do you think you opened just today? For some, that number easily exceeds 50. Given the constant and frequent use of e-mail, it can be easy for employees to let down their guard and make mistakes. But one innocent mistake could throw an entire company into a cyber tailspin. While it’s important to regularly update computer networks, firewalls and anti-virus software, that’s just a starting point. In order to effectively manage cyber risk, the entire company needs to get involved. Train everyone – from CEOs to entry-level employees – on how to spot fraudulent e-mails. Practice multi-level authentication and only permit verbal confirmation for financial requests with legitimate business partners at established telephone numbers. Encourage employees to use strong passwords and change them often, and make cyber risk awareness an ongoing discussion. If you suspect your organization is the victim of a BEC scam, act quickly. Report it to your bank immediately and call your closest FBI office. Also, make sure to report the incident to the IC3 at www.ic3.gov. Delayed reporting could make it difficult to stop wire transfers and recover money.
Don’t Get Hooked!
¹ FBI Chicago Warns Area Business Owners of Business E-Mail Compromise Scam. November 9, 2017. FBI website. Accessed on November 29, 2017 at https://www.fbi.gov/contact-us/field-offices/chicago/news/stories/fbi-chicago-warns-area-business-owners-of-business-e-mail-compromise-scam
This article originally appeared in the 2017 | ISSUE THREE of the SilverLink magazine, under the title “Caution: You’ve Got Mail” To receive a complimentary subscription to the SilverLink magazine, sign up here.