Five worthy reads is a regular column on five noteworthy items we’ve discovered while researching trending and timeless topics. This week, we highlight the rising impact of man-in-the-email attacks on global businesses.
In case you weren’t aware, email isn’t as safe as it used to be. A recent email security risk assessment report by Mimecast suggested that out of 143 million emails that were inspected, one out of every 50 contained at least one malicious URL that wasn’t caught by a security system. The report also identified an additional 19 million pieces of spam, 15 million malware attachments, and 13 million dangerous files types that were not caught by enterprises’ incumbent email security perimeters.
Over the years, email has remained fairly consistent, if not a little boring. Businesses rely on email as a straight-forward means of communication, but when it comes to email-based cyberattacks, there’s no lack of creativity. Evolving technologies let attackers hone their strategies to gain access to corporate data. In 2016, the FBI’s Internet Crime Complaint Center issued a warning about a sharp rise in man-in-the-email attacks targeting businesses, which they dubbed business email compromise (BEC).
In a typical BEC exploit, an attacker targets a company that uses wire transfer payments to transfer business funds. The attacker gains access to or spoofs a corporate email account by using social engineering, phishing, or a combination of both, then uses the authenticity of that account to either initiate a money transfer directly or convince another individual to initiate a transfer. An alternate approach to this attack is to compromise a company’s host email server or machine, then intercept business transactions, including any direct payments made by the parent organization through wire transfer.
That said, let’s look at some interesting reads from across the internet on the rising concerns of BEC attacks:
-
How to Recognize a Business Email Compromise Attack
BEC is a type of phishing scheme in which an attacker impersonates a high-level executive and attempts to trick an employee or customer into transferring money or sensitive data. This crime is particularly stealthy because it employs social engineering techniques to manipulate users.
-
FBI: Business Email Compromise is a $5 Billion Industry
The FBI said that it only began tracking business email compromise (BEC) attacks as a unique crime type in 2017, but that it has recorded a massive increase in incidents of business and other types of email account compromise attacks, may be responsible for $1.6 billion in losses in the U.S. since 2013 and $5.3 billion globally.
-
How are tech support scams using phishing emails?
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work with expert Nick Lewis.
-
Business Email Compromise Schemes: Most Seek Wire Transfers
Last month, the FBI’s Internet Crime Complaint Center, or IC3, said that based on fraud reports submitted from October 2013 to May 2018, 41,058 total U.S. victims of BEC schemes collectively lost at least $2.9 billion, while global losses were more than four times that amount.
-
C-suite is a weak link when it comes to email-based attacks
Organizations can’t get around using email, and 90 percent of organizations have seen phishing attacks rise or stay the same over the last year. While humans have long proven to be the weakest link in an organization’s security chain, C-suite and C-level executives are some of the least cyber-aware individuals in an organization.
Since employees, especially the C-level executives, can be socially engineered to perform actions that will cost their organizations dearly, using only security tools and controls to prevent cyberattacks isn’t sufficient. What organizations need to do is hold periodic end-user training to mitigate the risk of BEC attacks.
In addition to education, employing certain security measures such as two-factor authentication can help curb BEC attacks. Stringent security policies provide multiple levels of control for approving financial transactions, which translates to attackers needing to target multiple controllers to successfully legitimize their defrauding attempts.
The war against cyberattacks is a never-ending process. With evolving technologies, attackers will find new ways to infringe on organizations’ security parameters and exploit corporate data. However, with the right knowledge, security policies, and solutions in place, combating and mitigating these scams will get easier over time.