Business email compromise – when defying an ‘executive’ is the right thing to do

20th June 2019 | By Mouseworld Now Correspondent |

 

By Nilesh Jain, Vice President, Southeast Asia & India, Trend Micro

Nilesh Jain, Vice President – South East Asia and India, Trend Micro

Nilesh Jain Vice President – South East Asia and India,Trend Micro

Email security is a top-of-mind concern for many organizations, with business email compromise (BEC) gaining prominence as one of the lethal tactics adopted by cybercriminals to attack enterprises. Law enforcement agencies worldwide have been keeping a close watch on BEC scams as a result of the increasing losses year on year. According to the Federal Bureau of Investigation (FBI), BEC has incurred nearly $12.5 billion losses to companies as of 2018. On average, one successful BEC attack can cost the company $130,000. We reported the number of BEC attacks in 2018 increased by 28 percent globally.

Falling victim to a BEC scam has long been a problem that generally arises from human negligence and our natural inclination to do what someone in authority asks of us. Because these scams do not have any malicious links or attachments, they can evade traditional detections. These two factors make BEC a persistent threat for enterprises. Before we delve into what measures an enterprise need to take to mitigate risks associated with BEC, it is important to know how it works.

At the core of it, BEC is a form of spear phishing where an attacker, by pretending to be a high-ranking executive – usually the CEO, attempts to trick a victim – usually the CFO – into paying a fraudulent invoice. To do so, fraudsters carefully research and closely monitor the potential target victims – both the spooked executive and the one issuing the payment – and their organizations. The tone of the email is usually urgent.

It is also observed that most BEC attempts happen in countries with established business hubs and those that see a lot of multinational business operations.

BEC persists and new trends arise

In India, some 1.5 billion email threats were blocked by us in 2018. BEC, as a form of email-based scam, remains a very potent and lucrative means of funneling money from companies. As per our security predictions for 2019, BEC scammers will target employees further down the company hierarchy this year, for example, secretaries or executive assistants.

In what appears to be a product of masterful social engineering, BEC scammers are also reportedly using domestic money mules recruited via confidence or romance scams. After grooming these victims, scammers will trick them into opening accounts that will only be used for short term, presumably to avoid being tracked by the authorities. Another phenomenon noticed is that some BEC victims are tricked to purchase gift cards. In this BEC variation, a cybercriminal posing as a person in authority may send a spoofed email, phone call, or text to a victim, requesting to buy gift cards for personal or business purposes.

Gearing up against BEC threats

Businesses are advised to stay vigilant and educate employees on how not to fall victim to BEC scams and other similar attacks. It’s true that cybercriminals usually prefer big companies but there’s little guarantee that small and medium-sized enterprises won’t get hit. For one thing, smaller companies tend to have less robust security infrastructure in place.

Here are some tips on how to stay protected and secure:

  • Be wary of irregular emails that are sent from C-suite executives authorizing an urgent payment. Look for discrepancies in the email address, the way it is written, the sign-off, and more. Review past emails that request transfer of funds to determine if this one is irregular.
  • Cybersecurity awareness training and enforcing best practices against email threats can help employees stay alert and not fall prey to these attacks.
  • Verify any changes in vendor payment details by using a secondary sign-off by company personnel.
  • Stay updated on your customers and vendors’ habits, including the details, and reasons behind payments.
  • Confirm requests for transfer of funds when using phone verification as part of two-factor authentication, use known familiar numbers, not the details provided in the email requests.
  • If you suspect that you have been targeted by a BEC email, report the incident immediately to law enforcement or file a complaint with the cybercrime department.

Organizations should consider using a multilayered identification process for transferring resources and invest in smart email protection. There are advanced security technologies available now that can prevent users and organizations from falling for BEC attacks. For example, by studying and learning the unique ways executives compose their emails, a new AI-based technology is able to pick up on tiny details that set authentic emails apart from fraudulent ones, leading to better detection of BEC scams.

BEC is here to stay, with Gartner predicting that through 2023, business compromise attacks will be persistent and evasive, leading to large financial fraud losses for enterprises and data breaches for organizations.

 

(Author Bio: Nilesh Jain is Vice President, Southeast Asia & India, Trend Micro)

 

Tags: , , ,

Leave your comment

IMPORTANT! To be able to proceed, you need to solve the following simple math

What is 9 + 15 ?
Please leave these two fields as-is:

Mouseworldnow Videos
  • r chandrashekhar president nasscom
  • Anant Maheshwari, President, Microsoft India
  • Suresh_Vaswani-220 by 220

Channel News

  • COMPUTEX 2019 Successfully Comes to a Close at Taipei more...
  • MyGate ‘Silences’ Deliveries To Gated Communities For Seamless Customer Experience more...
  • ASUS Partners Flipkart for Month-end Mobiles Fest more...
  • RP tech India Successfully Conducts Touching Everyone’s Life 2018 more...
  • iValue Appointed Distributor for Arcserve’s Hybrid Cloud Data Protection Solutions more...
Subscribe via email

Enter your email address:

QUESTION HOUR
What does the mouse ask?

Will the spurt in online video advertisement steal the twinkle from the TV ad platform?

View Results

Loading ... Loading ...
Newsletter Registration