It was reported over the weekend that an Instagram star is facing criminal charges over an attempt to steal £100m from a premier league club, amongst others, using Business Email Compromise fraud email attacks.
It was reported over the weekend that an Instagram star is facing criminal charges over an attempt to steal £100m from a premier league club, amongst others, using Business Email Compromise fraud email attacks.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Business Email Compromise continues to be a significant issue. Companies will traditionally roll out security awareness training to their employees about not opening suspicious email attachments or clicking on links, but how many companies train their staff to refuse or question a direct command from senior staff? The art of “whaling” aims to compromise a senior staff member’s email and then use that to instruct junior staff to make payments to bank accounts of fraudsters.
Because these highly lucrative attacks are succeeding, they will continue to attract more groups willing to attempt their methods. It’s time that businesses consider applying security to their business practices because IT security tools are not infallible against human behaviour.
As an example, train your staff to require third party validation for any financial transaction or introduce payment procedures requiring multiple sets of independent eyes. Malicious individuals are abusing the fact that junior staff implicitly trust their seniors and act quickly as instructed. You must put in place processes and beliefs that when unordinary requests come through they should be questioned.
The case of an unnamed premier league club losing £100 million from a Business Email Compromise (BEC) scam shows that even the most common form of attacks pose an enormous risk to unsuspecting organisations. BEC is so effective because it exploits a human impulse – as the emails often look ‘real’, these scams take advantage of a very human desire to please a high ranking executive – which means the victim may not be as security-vigilant as usual.
Unfortunately, because these emails are so convincing, and targeted, the traditional pattern matching technologies usually used to catch spam are also useless against this technique. In order to be able to spot them, organisations need to combine content analysis, threat intelligence and executive name checking to efficiently protect themselves. Combining the right technology with best-practice policies for employees will give organisations the right tools to keep their eye on the ball and mitigate these types of scams.
This incident is another reminder that cyber threats such as Business Email Compromise (BEC) schemes remain active and prevalent, posing a huge risk to unsuspecting organisations. In many cases, the hacker creates a fraudulent, but realistic-looking, email request for payment of an invoice or transfer of funds. The perpetrator will often use the company logo, email signature, and fake purchase order number in their correspondence to increase the likelihood of being believed. The victim, assuming they are just doing their job, makes the transfer in response to the request, often repeating the process over time, leading to the company losing tens of thousands, if not millions of pounds.
This type of spear-phishing attack has been trending, with Barracuda Sentinel detecting 467,825 spear-phishing email attacks between March 1 and March 23, a 667% increase. Tackling this issue requires companies to invest in the very latest email protection systems and also ensure that every employee is acutely aware of these scams and how they operate.