Email has completely changed the face of modern communications. Never before has a service provided the speed, convenience and ability to reflect back on past messages quite like email, which is why it's at the center of every successful business. Sadly, hackers have also recognized the importance of this technology and have decided to use it to their advantage.
While there are many email-based hacking techniques, one of the most frightening is business email compromise. A BEC scheme is where the cyber criminal gains access to the email account of a high-ranking employee that works at a targeted company. At some point, the malicious individual will use this account to send a fraudulent message, often asking for an unusual money transfer. Due to the fact that this request is coming from a known email address, people very often fall for the ruse and end up sending company funds directly to the hacker.
That said, you and your company can boost your ability to avoid such a financial disaster if you know what to look for.
The C-suite is the most vulnerable
Trend Micro has conducted a lot of research surrounding BEC, and we've come to realize that hackers generally tend to target a specific section of any company they plan to scam. Specifically, these cyber criminals are going after the executives. Our studies have shown that out the BEC cases we've observed in the past two years, 40 percent involved the email account of the company's CFO. What's more, 31 percent of these schemes relied on the power held by the CEO to persuade the victims of the message's validity.
To understand this, its important to take a honest look at the general profile of a hacker. After stripping away the moral lapses of this group, you'll find that most hackers are intensely focused on efficiency. In most cases, breaking systems to make their lives easier is why these people got into computers and hacking in the first place. So, if the cyber criminal is going to have to put a bunch of work into cracking an email account, it would make sense for them to go after the person that can net them the largest gain from their effort. In most cases, this victim is either the executive handling the money or the one running the whole show, which are the CFO and CEO, respectively.
The interesting part about these findings is the fact that these executives are often the ones companies focus their attention on in terms of cyber security preparedness. Executives are generally given their own computers loaded up with security software from the IT team, which can work wonders at blocking intrusions until the CFO decides to provide his or her login information to a phishing email.
What can compromised companies expect to lose?
As it is with most cyber attacks, hackers want to get the most amount of money out of their efforts without raising too many alarms. Overall, BEC has caused a lot of monetary loss. These kinds of scams are so effective that between October 2013 and February 2016, companies lost roughly $2.3 billion to BEC, according to the FBI. The actual number could be much higher than this, as companies often don't want to report their losses to avoid embarrassment and damage to brand reputation.
FBI analyst Ellen Oliveto has stated the average company can expect to lose roughly $130,000 to a BEC scam. However, the true amount money an organization will lose depends entirely upon how much the hacker thinks he can get away with. A certain aerospace company in Austria ended up firing its CFO and president after both became victims of BEC. According to SC Magazine contributor Adrian Bridgwater, this scam cost the company nearly €40 million, or around $43.8 million.
How can your company mitigate the risks?
Although it's important not to blame the victim here, the fact of the matter is that hackers will always be attempting to make money in nefarious ways. So, it's up to a company's administration to ensure every single employee knows what BEC is and what their role in such a scam would be. Executives need to be trained about the importance of email security, especially when it comes to phishing. These people should be using extremely complex passwords that should never be shared with anyone.
Lower-ranking workers should also recognize that it's perfectly fine to question an unusual request from an executive. Monetary exchanges that seem out of the ordinary should be confirmed in face if possible, or at the very least over the phone. Something "out of the ordinary" could mean sending money to an account the employee has never seen before or even language and grammar that doesn't seem right. Employees get emails from their bosses all the time, and should be able to pick up on a change in tone that doesn't fit.