Security Experts Comments on the News:
The FBI found yesterday afternoon that BEC/EAC scams cost organisations over $26 billion between June 2016 and July 2019. The threat continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between May 2018 and July 2019, there was a 100 percent increase in identified global exposed losses.
Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds. However, the Federal Bureau of Investigation has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey.
BEC attacks are clearly surging and it’s not surprising considering the financial return cyber criminals are seeing. The attacks are easy to carry out and carry a fairly low risk as many people behind the scams never get caught.
When it comes to protection against BEC attacks, employee security training is critical as the attacks target people’s naivety not to question emails when they are coming from people in positions of authority.
Training staff to always verify the authenticity of an email, before taking action, is vital. This could include calling the sender of the email to check it is legitimate, or implementing a policy where you must forward the email back to the sender, rather than replying to it, and asking them to reconfirm before making the payment transaction.
From an attackers perspective looking to make money, BEC scams are the perfect blend of low cost and high return. BEC scams rarely, if ever, need any malware to be effective and operate on deceiving users.
This is why providing appropriate and timely security awareness training is so important, as well as having supporting controls in place so that one person cannot create, authorise and execute a new payment.
More than 99 percent of cyberattacks need humans to click and act—and BEC attacks rely squarely on individuals to take action by preying on human psychological responses to urgent matters such as wiring money and sending confidential data, often to satisfy some immediate but fictional business need. Organizations need to take immediate steps to significantly reduce the chances that a BEC attack is successful by educating their employees and deploying solutions that place the individual at the center of their security strategy.
BEC and EAC (essentially BEC attacks launched from internal – and therefore harder to detect – compromised executive accounts) are increasingly weapons of choice for financially motivated threat actors because they are inexpensive and require more research than actual sending infrastructure. Sending fraudulent email is cheap and the messages don’t require expensive malware or sophisticated command and control; yet the attacks themselves are highly effective, resulting in billions of dollars in reported losses. Exploiting the email communication channel through highly personalized, socially engineered messages allows attackers to easily impersonate a trusted employee or partner. The prevalence and effectiveness of pervasive credential phishing schemes provides fuel for increasingly common EAC attacks as well, giving attackers an inside channel to implement their schemes.
These social engineering schemes will only become more prevalent and difficult for organizations to identify, detect, and respond to. It is critical that organizations prioritize a people-centric approach to security that protects all parties (their employees, customers, and business partners) against phishing, email fraud, credential theft, and brute force attacks. We recommend layered defenses at the network edge, email gateway, in the cloud, and endpoint, along with strong user education to provide the best defense against these types of attacks, most of which lack malware payloads that traditional defenses are designed to detect.