Philabundance, a Philadelphia food bank, got scammed out of nearly a million dollars due to a clever BEC attack. According to reports, cyber thieves infiltrated the group’s email server and then mimicked a construction company that had done work for Philabundance. The thieves emailed a fake invoice with instructions leading to a bank account controlled by the thieves.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Unfortunately, scammers are drawn to the money trail with no regard for ethics, so this means non-profits are also vulnerable to attack. The Philabundance attack checks all the boxes of a successful BEC scam: in-depth research to identify the target, social engineering exploits to penetrate the network, creation of a fake invoice from a known email address, and the request to wire funds to a (phony) bank account.
BEC scams cleverly play on two glaring human vulnerabilities: an employee’s susceptibility to social engineering, and their unquestioning trust in the chain of command. The best way to help prevent these types of attacks is to provide regular security training for employees, and establish specific business and financial policies for company payments.
Companies that conduct ongoing and varied security training of their employees – starting at onboarding and continuing with regularly scheduled simulated phishing attacks, stand the greatest chance of keeping invaders out of their network. Interactive, relevant, and ongoing training can reduce the percentage of successful phishing attempts from 30 percent to less than 5 percent.
To successfully defend against BEC scams, companies should also implement specific business and financial policies for all payments. The most effective policies limit the number of individuals authorized to make payments, call for additional authorizations above a pre-determined amount, require vendor validation, and treat any urgent requests or new payment methods as a suspect.
Criminals know that employees can be the weakest link in a cyber attack. The good news is that with investment and training, employees can become your strongest defense.