We have been hearing the same story over and over: the email looked like it was from the CEO/President/CFO and it was urgent, so I wired the money to the account in the email. It is called Business Email Compromise (BEC) or Email Account Compromise (EAC) and the forms of this scam are becoming varied and much more convincing. An “employee” emails HR changing their direct deposit information to a new account. A “vendor” emails Accounts Payable and updates their banking information or mailing address. These scams can either involve the criminal spoofing the legitimate email address of the CEO, employee or vendor, or by actually obtaining the email credentials of the target and using their real email account to send the payment redirect request. It can be difficult to know what emails you can trust.
In 2019, according to the FBI Internet Crime Complaint Center 2019 Internet Crime Report, the FBI received almost 24,000 complaints about BEC scams resulting in an average loss of $72,000 and a total loss of $1.7 billion. These criminals are becoming increasingly sophisticated in their attacks. Recently, Microsoft warned of a phishing scam where users received an authentic-looking email indicating that they had a message waiting for them in Microsoft Teams. When users clicked on the “Reply in Teams” link, it took them to an authentic-looking Microsoft login screen where they entered their Microsoft login credentials. Every step looked completely legitimate.
These BEC scams are incredibly easy for the criminals to launch. All it takes is one good socially engineered email that plays on our natural human instincts and one distracted or untrained employee to give them access to your email and your contacts. They can then scale up exponentially, using that one email account to give them access to hundreds of others. Using that legitimate email account makes them much more likely to be successful in getting another target to wire funds or enter their own credentials. This can end up being significantly more lucrative than attacking the infrastructure itself.
As with most cybersecurity issues, defending against this particular attack requires a multi-part approach. Defense at the perimeter should include tags in the email that alert the recipient if the email sender address is spoofing the recipient’s domain. Multi-factor authentication (MFA) is a must. According to a Verizon data breach report, 80% of breaches were due to stolen credentials and could have been prevented with MFA. And finally, training! No matter what structural safeguards you put in place, it only takes one misguided click to open the door to a whole host of trouble.
Many of these attacks are crimes of opportunity. You do not have to be “high value” to still be a target. BEC is just one of many kinds of cyber attacks that are on the rise in this time of COVID. Contact Windes to find out just how many ways your organization is vulnerable to these attacks and how to protect yourself.