A Lithuanian man is facing up to 30 years in prison this July for his role in a phishing scheme involving Facebook and Google. In March, he pled guilty to helping fleece the two companies out of a total of more than $100 million.
Using a business email compromise (BEC), the wire fraud scheme included sending fake emails to the two companies’ employees on behalf of a legit Taiwanese hardware maker, claiming the tech giants owed it money and directing payments to the scammers’ bank accounts.
This was a fairly common scenario as far as BEC goes, but what makes the case noteworthy is the caliber of its victims. One may normally think that large enterprises wouldn’t fall for this type of a scam. For smaller businesses, it may serve as an eye-opener: if larger, sophisticated companies aren’t immune to phishing schemes, what can the small guy do to fight back?
The prevalence of business email compromise
BEC (also known as CEO email fraud) and email account compromise (EAC) have grown both in sophistication and prevalence. The FBI’s 2018 Internet Crime Report, released in April 2019, shows that in 2018 alone the Internet Crime Complaint Center (IC3) received 20,373 BEC/EAC complaints. Losses totaled over $1.2 billion.
“Most of these types of attacks we see are on small businesses, but they’re afraid to talk about them in public or call the FBI,” says cybersecurity veteran Idan Udi Edry, the CEO of Trustifi. “The smaller organizations are the most vulnerable ones and on top of that, if they get hit, they can’t afford losses like the big ones can.”
Between December 2016 and May 2018, IC3 saw a 136 percent increase in global exposed losses from BEC. And between October ’13 and May ’18 a total of 718,617 incidents, both domestic and foreign, have caused $12.5 billion in losses to businesses. To put that number into perspective, that’s enough to pay for all of Netflix’s 2018 content or for 30 of Boeing’s most expensive airplanes.
Why protecting your email is a must
The BEC scams usually involve spoofed or compromised email, and email is a top vector for phishing attacks in general. That’s why it’s not surprising that the most recent quarterly report from the Anti-Phishing Working Group (APWG) found that the number of attacks targeting webmail/SaaS providers has doubled from the previous quarter and has been on an upward trajectory in the past few years.
“Email today is like another form of your government ID — like your driver’s license or passport. When you send an email with instructions, whether it’s to wire money or book a flight or just say hi, it’s an official identification of you,” Edry says. “People don’t understand they need to protect their email the same way they’re protecting their social security card or their driver’s license.”
Research by cybersecurity company Proofpoint found that almost a quarter of phishing email recipients click on the link within five minutes, and about 50 percent of the clicks are within the first hour. That means your protection needs to work fast.
Edry says the best way to prevent your email account from being compromised is through encryption and authentication tools. He says email attacks are especially appealing to hackers who target small businesses that use email for transmitting sensitive data.
“Hackers don’t need to spend so many resources to hack a bank because they can just sit on a realtor, CPA or small law firm and get the same information,” he says.
Interest in email encryption lags behind other types of encryption, but Edry says European Union’s General Data Protection Regulation (GDPR) has changed that in the past couple of years.
“Everything can be hackable and everything can be breached,” he says. “Encrypting your data means there’s no access to it.”
Other ways to protect your emails
Email encryption and authentication is only one step toward protecting your emails. Here are some other things you can do to protect your email communication:
- Add two-factor authentication for email apps to make it harder for hackers to break in
- Provide a “back to base,” or corporate VPN, for your remote employees so they can be secure regardless of their location
- Use email filtering to block spam, as well as rules to identify emails with the “reply to” address different from the one displayed
- Create an intrusion detection system to flag emails similar to your company’s domain name
- Don’t rely on traditional antivirus alone to catch malware — consider implementing advanced detection and response for your endpoints
- Add Web filtering to block malicious URLs
Implementing user training and procedures
Besides using technology, you can help prevent BEC schemes and other phishing attacks by implementing certain procedures. The FBI recommends:
- Verifying changes in the vendor payment information through two-factor authentication, such as a secondary personnel approval
- Confirming fund transfer requests via phone verification using the previous numbers rather than the numbers from the current email request
- Scrutinizing emails requesting fund transfers to ensure they’re not out of the ordinary
Additionally, change your processes to require multiple people to sign off on overseas wire transfers, as well as taking additional steps any time someone creates or makes changes to vendor accounts.
A user awareness and training program adds another layer of phishing protection. Although scammers are always going to be steps ahead of users, educating your employees and other stakeholders strengthens your human factor.
Some basic awareness topics to cover:
- Why email and security best practices are important
- Common and current phishing scams and techniques
- Why and how to be careful about personal information shared on social media
- How to identify suspicious emails and attachments and what to do with them
- How to scrutinize any requests for sensitive information or financial transactions
- How to protect login credentials
- What information is considered sensitive, how to classify data and how to handle it based on that classification
Edry also recommends having a chief information security officer. He says that regardless of the size of your company, you need someone who understands the security world and can make decisions about the right technology, compliance and processes such as updating systems.
“We are always behind the hackers, and we’ll never be ahead of them,” he says. “An information security officer is a must to secure the infrastructure.”
- Facebook-Google Scammer Pleads Guilty in $121 Million Theft, Bloomberg
- Scammer Pleads Guilty to Fleecing Facebook and Google of $121M, Sophos
- 2018 Internet Crime Report, FBI
- Phishing Activity Trends Report, 4th Quarter 2018, APWG
- The Human Factor 2018, Proofpoint
- Business Email Compromise: Cyber-Enabled Financial Fraud on the Rise Globally, FBI