An old scam that keeps reinventing itself with new victims. Don’t become a victim!
You’ve probably heard the classic business email compromise (BEC) scam about Nigerian princes who want to deposit money in people’s bank accounts—but first need their prey to send them money to make it all work to plan. This scam has been circulating a long time. Unfortunately, it’s also one that keeps reinventing itself along with another batch of unwitting victims. In fact, it happens so often, BEC scams currently outdo ransomware as the most damaging cyberattack in the world.
In fact, according to the FBI’s Internet Crime Complaint Center (IC3), in 2020, losses from BEC exceeded $1.8 billion—that’s a fourfold increase since 2016! The number of BEC incidents also rose by 61% between 2016 and 2020. Using tactics that play off real-time world events, such as COVID-19 and disaster relief, or the trust of established interpersonal relationships, criminal elements have managed to stay ahead of the good guys with increased sophistication and swiftness.
- An email scam bilked Peterborough, NH taxpayers out of $2.3 million and nobody at Town Hall ever noticed email misspellings or discrepancies that could have signaled a crime in progress.
- The town of Franklin, MA lost $522,000 in a sophisticated cyber fraud spear phishing attack.
- UMass Memorial Health sent a notice to patients that over 200,000 patient records were exposed to unauthorized access after a limited number of UMass employee's email accounts were accessed by outsiders.
- Many local businesses hit by scams that don't make the headlines.
To protect yourself and your business from these types of attacks, employee education is essential. For example, if someone in your accounts payable department receives an email from a business partner requesting you alter established wire transfer information, be sure your staff are trained to recognize the request as a red flag and confirm directly with their point of contact details of the change (NOT via email!). It seems second nature, but when people are busy and working against deadlines, it’s easy to miss a well-disguised trick. Setting up a formal cybersecurity training program (ask us for a demo!) or simply making a point to discuss cyber security regularly at staff meetings can make a big difference.
From a defense in-depth perspective, it’s also essential to ensure you have a layer of threat detection in place to help identify malicious behavior, alert of the threat, and inform the correct response and remediation measures. This would include:
Monitoring for anomalous behavior, both on-premises and in the cloud
BEC threats rely on looking like normal user activity. With an increase in remote work, companies are relying more on cloud services like Microsoft Office 365 which puts data into a complex environment that's often under-protected. Once threat actors can get access to Office 365, getting to the important data is just a few clicks away. Traditional perimeter security tools, such as firewalls, aren’t able to monitor suspicious activity in cloud-hosted applications like Office 365, SharePoint, or OneDrive. The same applies to monitoring of your endpoints for suspicious activity. If a threat actor slips past perimeter defense and acquires user credentials, it will be difficult to identify threats that appear as typical activity.
Having enough IT Security support
When something nefarious goes down, you need to know immediately. Too many businesses lack the ability to dedicate staff to monitoring of their environment. If an alert goes off, the time lost until someone sees it and makes sense of it could be the difference between defense of the business or catastrophic damage. Managed threat detection and response can be a force multiplier if you are unable to monitor your environment.
While there are many aspects to improving your defense in-depth, the following from the FBI act as good and effective tips to share with employees to help elevate everyone’s awareness of how to avoid business email compromise attacks.
- Be skeptical—Last-minute changes in wiring instructions or recipient account information must be verified. This is a big red flag.
- Don't click it—Verify any changes and information via the contact on file—do not contact the vendor through the number provided in the email.
- Double check that URL—Ensure the URL in the email is associated with the business it claims to be from.
- Spelling counts—Be alert to misspelled hyperlinks in the actual domain name. Often a very subtle difference like an extra character or a "zero" instead of an "O" can big the difference.
- It's a match—Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it's coming from.
- Pay attention—Often there are clues with business email compromise, for example:
- An employee who does not normally interact with the CEO receives an urgent request from them
- Data shows an employee is in one location at 1 p.m. but halfway around the globe 10 minutes later (Sometimes referred to as a "Superman Login").
- Activity from an employee who is supposed to be on vacation (cyber criminals could be monitoring social media where people love to post about their travels.
- If you see something, say something—If something looks awry, report it to your managed service provider or IT Security supervisor. Scammers typically hit multiple people in a company and you could help divert additional threats. And if you have been a victim of BEC, file a detailed complaint with IC3.
To learn more about business email compromise threats and defense against them, Ekaru can provide you with guidance, education, and technology to strengthen your security posture.
The headlines can be overwhelming at times, but there are plenty of smart and affordable actions small businesses can take to be more secure. Give us a call and get started!