The crime of business email compromise (BEC), which targets a business to facilitate financial theft, is expected to cost business more than $9 billion by the end of 2018. These scams are lucrative like no other. In one recent case, a U.S. company lost over $100 million. The company was scammed using deceptive techniques which involved spearphishing, fake email addresses and mimicking a legitimate vendor. These scams are complex, often multi-stage, attacks. They utilize a mix of human behavior, social engineering and technology.
As businesses, we are all at risk from BEC scams.Q1 of 2017 saw 85% of organizations targeted by at least one BEC attempt. This was up 13% on the previous quarter. Every type of business, of every size, in every location, is a potential target for a BEC scam.
The Human Vulnerability in BEC Scams
Business Email Compromise is about money — often big money. As mentioned above, some scams end up with multiple millions of dollars lost in one or more successive attacks. The scammer(s) will really work for this money, often spending many weeks checking out a company, preparing for their attack and understanding the organization structure to know who, exactly, to target. They will then use various tools in the cybercriminal’s toolkit, like spearphishing emails or malware to get the keys to your kingdom — your email login credentials. Once compromised, your email account is their own to use at will. If the cybercriminal struggles to get this far, they can always fall back on spoofing your email account instead. Cleverly configured email addresses are hard to spot as fake: firstname.lastname@example.org is very similar to email@example.com, especially in a busy accounts payable department who process hundreds of invoices every week.
Whereas technical hacks, that involve complex malware, prey on software vulnerabilities, BEC preys on our human vulnerabilities.
The methodology behind a BEC scam is based on our desire as human beings to build relationships and trust our colleagues and our vendors.
And who better to utilize as a compromise weapon in an organization than the person who calls the shots — the CEO. A popular type of BEC fraud is CEO compromise; this involves a C-level email account being hacked or spoofed. The compromised account represents a trusted and authoritative figure — someone people normally do not question. The cybercriminal uses this mix of trust and power to enact their ultimate outcome — a financial transaction direct into their bank account
Another variant of a BEC scam uses trust again, this time in the guise of a known vendor. Legitimate invoices are intercepted, again via a compromised email account. The cybercriminal then changes details such as bank account numbers, pushing the changed invoice back into the system. Again, this scam relies on the payment processor’s trust in a “known” vendor, coupled with the need to get the job done.
The Other Side of the BEC Coin: Security Awareness Training
Security awareness training is the practice of engaging everyone in an organization on the topic of cybersecurity. We are all impacted by the staggering impact of cybercrime. As individuals, as employees or as business owners, we stand together as potential targets for cybercriminal gain. Technological solutions have limited effect against BEC attacks which are based on deception and social engineering, aka human vulnerabilities. Fortunately, this situation can be redressed with knowledge and understanding and the application of human-based cyber defense. Security awareness training gives an organization the tools to build a culture of security. What this means, in reality, is that your organization as a whole becomes part of the security solution, not the problem.
Fighting Back With Security Awareness Training
BEC scams rely on certain human traits and behaviors including trust, a sense of urgency, the wish to deliver and obedience to an authority figure. Layered onto this are certain other issues such lack of understanding of just what constitutes cybersecurity. Although high-profile cyber attacks, like the Uber and Equifax breaches of 2017, have made cybercrime a household news item, the average person is still not security savvy. A recent report by Clutch found nearly half of entry-level employees were not aware that their organization had any security policies.
A security policy can be as simple as not writing a password down on a piece of paper. If you aren’t aware of a security policy, how can it be implemented? The same report identified that employees were uncertain about the level of IT security threats against their company. By engaging in a company-wide security awareness training program, you give your organization the tools to take back control of your security.
This mix of human factors and the skilled behavior manipulation seen in BEC scams makes for the perfect cybercrime. Security awareness training makes for the perfect way to fight back against that crime. Here are three ways security awareness training can help prevent a BEC scam:
- Education is strength: Teach everyone about the types of scams they might expect to come across and how they work. Education on scams will give your people the confidence to question unusual behavior.
- Vigilance is key: According to a Verizon report, 90% of data breaches are attributable to phishing, so you must teach all employees about how subtle a phishing email can be. This is especially important when those emails are based on sophisticated deception involving surveillance. They may not contain an obvious phishing link or a malware-ridden attachment; the most effective way to counter this level of cyber attack is through vigilance.
- Practice makes perfect: Ongoing security training is vital in keeping on top of cyber threats. Cybercriminals are good at change. We have to keep up with that change. Once a technique becomes less successful, cybercriminals create a new technique. Our counter to this is to keep on learning. Security awareness training is an ongoing exercise. Regular updates on new BEC scam types, coupled with practice sessions which involve the simulation of a typical BEC scam, are an essential part of a security awareness training program.
As well as having security awareness training and building a culture of security, you should also look at adding in some checks and balances. For example, put in place secondary sign-offs for larger invoices or have a verbal system in place to double check C-level requests that involve large financial transfers. No CEO should mind the time taken to potentially save them from a multi-million dollar theft.
Final Thoughts: Never Compromise on Security
Business email compromise is the ultimate deception. It allows the sticky fingers of the cybercriminal to come into our organization and steal from under our very noses — even with our unwitting help. It costs business billions. Ultimately, it will cost jobs. When the cybercriminal takes our own innate behavior and drivers and uses them against us, we have to retaliate through understanding and awareness. Technology can only take us so far in the fight against cybercrime that utilizes human-based vulnerabilities. Security awareness training is our shield against BEC. Being security aware, understanding the tricks of the cybercriminals trade and training for vigilance is a best practice plan for an organization against BEC scams.