Hikvision Senior Director of Cybersecurity on Phishing Scam: Business Email Compromise
Four Hikvision Tips to Boost Cybersecurity and Reduce Risk
The world of cybersecurity has some pretty creative and interesting terms to describe a wide range of attacks such as phishing, juice-jacking, rainbow tables, credential stuffing, and botnet. Today we’ll cover risks associated with Business Email Compromise (BEC), a phishing attack that is simple to execute and can be very costly to the victim.
BEC is a type of phishing attack with the goal of tricking the victim into sending money to the attacker. According to a 2018 FBI report, BEC attacks have earned scammers over $12 billion.
Five Types of BEC
The website Phishprotection.com reports that there are five types of BEC, outlined below:
- Bogus Invoice Scheme: When a business that has a long standing relationship with a supplier is requested to wire funds for invoice payment to an alternate, fraudulent account.
- CEO Fraud: When the compromised email account of a high level executive is used to request a wire transfer to a fraudulent account.
- Account Compromise: When an employee of a company has their email account compromised and it’s then used to request repayment of an invoice by a customer to a fraudulent account.
- Attorney Impersonation: When victims are contacted by fraudsters identifying themselves as lawyers and are pressured into transferring funds to a fraudulent account.
- Data Theft: When fraudulent emails are used to request either wage or tax statement (W-2) forms, or a company list of personally identifiable information (PII).
With each of these attack methods, the victim is sent an email in an attempt to trick them into trusting the sender and either revealing sensitive information or transferring funds. Typically, the attacker does enough research to know the name and email address of their target, and the person in the company who would normally ask for large sums of money to be wired somewhere. We’ll call this person the requester. Often the target is the CFO and the requester is the CEO.
In practice, the BEC attack is fairly simple. The attacker sends an email that appears to be from the requestor, to the target. This email requests that a wire transfer be made to a specific account. If the attacker sends a well-crafted email and asks for an amount of money that doesn’t raise suspicion, they will likely reap the rewards of this scam. Below is a BEC email example.
These types of attacks have been happening for more than 10 years, but many people have never heard of them. As targets have become more savvy at identifying phishing attacks, the attackers have changed their approach.
What Can You Do?
With a few small changes to your business processes, you can greatly reduce the risk of being a victim of a successful BEC attack. Below are four tips to help you boost cybersecurity:
- Education and Awareness: The most important thing you can do is to be aware of this type of attack. Understand that this happens a lot in the business world and make sure that your team knows how to identify these types of scams. Your company needs regular education and awareness training, whether your organization is small or large. Click to learn about an advance phishing method called spear phishing.
- Test Your Employees: If your company does not have a cybersecurity education and awareness program that includes internal phishing tests of your employees, consider starting that project. The results are typically eye-opening, but studies show that regular testing of employees makes them much better at identifying phishing attacks.
- Verification Processes: Institute processes around money transfers that require secondary verification using a different communication method. For example, if a request comes in through email, verify with the requester over a phone call before transferring funds.
- Hire an Expert: Even small and medium sized businesses are being targeted by BEC attacks. While the large corporation likely has a staff of cybersecurity experts on hand who mitigate attacks and manage an education and awareness program, small businesses likely do not. So find an expert. Here is a CSO magazine review of some of the top companies in this business. Listed below are a few companies to review to get you started on you search:
Remember that your email inbox is a dangerous place. Anyone in the world can send you an email. I’m sure you have a spam filter but the spammers and phishers who are good at their job also have them, and they work hard to make sure their emails get past the filters. Read all email with the thought that this might not be what it appears, and respond with cautious behavior.