The year 2020 will forever be remembered as the year of the COVID-19 pandemic. The global impact was unlike anything seen in recent history, and the virus permeated all aspects of life, including cybercriminals who took advantage of the opportunity to exploit the pandemic by targeting companies.
According to the FBI's Internet Crime Complaint Center, the number of cyber complaints reported in 2020 increased by 69% from 2019 and Business Email Compromise (BEC) systems continued to be the most expensive with an adjusted loss of over $ 1.8 billion per year 2020.
Cybercriminals continue to become more sophisticated and use a wide range of tactics to attack their victims and unfortunately the BEC system is a tactic that has increased in frequency and complexity in recent years.
Simply put, a BEC scam involves a cybercriminal posing as a seemingly legitimate source — for example, a senior employee, supplier, supplier, business partner, or other organization — via e-mail. Cybercriminals use these emails to gain the trust of their target, thus tricking the victim into believing that they are communicating with a genuine sender. From there, cybercriminals convince their target to transfer money, share sensitive information (eg customer and employee data, personal knowledge or trade secrets) or participate in other compromising activities.
BEC fraud can lead to many consequences within your organization — including stolen data, financial difficulties, and potentially serious reputational damage. Nevertheless, these scams can be deterred by various cyber security techniques. Read this guide to learn more about what BEC scams are and the best steps your organization can take to prevent such scams.
Essentially, BEC scams consist of cybercriminals posing as an individual or entity within their target's trusted network for malicious profits. These scams are categorized as a form of social technology – referring to a broader cyberattack – method that loses important human behaviors (e.g., confidence in authority, fear of conflict, and promises of rewards) in order to gain unauthorized access to organizational systems, funds, or data.
Cybercriminals who commit BEC scams often use these social engineering strategies:
- Creates confusing variations – In an attempt to convince their targets that they are a reliable source, cybercriminals can create email addresses that are almost identical to the source they represent, with the exception of some characters (for example, changing the email address "email@example.com" to "firstname.lastname@example.org").
- Using Spear-Phishing Techniques -Cybercriminals can engage in phishing by conducting further research on their targets and using any additional details they discover to further motivate victims to believe their false identities. In phishing, cybercriminals often appear as sources that are more directly linked to their goals (eg a close colleague or department head).
- Distributing Malicious Code – When sending fraudulent emails in BEC scams, cybercriminals can encourage their targets to download malicious attachments or click on misleading links to launch malicious software – also known as malicious code. Once activated, this software can help cybercriminals more easily access their victims' systems, resources and data.
According to the FBI, there are several different types of BEC fraud, including the following:
- False Invoice Schedule —In such a system, a cybercriminal imitates an organizational provider to defraud his target of paying fraudulent invoices or transferring funds to a fake account. employee or executives and requests that their victims make a bank transfer to a fake account. Requests are often demanding, threatening the victim with work-related consequences or other penalties for failure to comply.
- Counter-compromise -In this scam, a cybercriminal hacks into an employee's or executive's actual email account and distributes messages to various contacts – trying to trick these recipients into paying fraudulent invoices.
- Lawyer Imitation – This hoax technique refers to a cybercriminal posing as a lawyer or other legal representative and requesting that a payment be made to a fake account in order to handle an organizational issue that is considered "sensitive" or " pressing. "
- Data theft – In such a scam, a cybercriminal imitates an HR professional to deceive his target to share personal information about employees or managers. Cybercriminals can then exploit this sensitive information during future attacks.
Every employee can be the target of a BEC fraud, which puts the security and financial stability of your entire organization at risk. Be sure to implement the following cybersecurity measures to deter BEC fraud:
- Train your employees. Minimizing losses from BEC scams begins with educating your employees on how to detect and prevent such cases. Equip your staff with these best practices:
- Refrain from sharing personal or work-related information on social media platforms, as cybercriminals may use this information to initiate a BEC fraud.
- Avoid opening or replying to emails from people or organizations you do not know. If an email claims to come from a trusted source, be sure to verify their identity by double-checking the address.
- Be careful with emails that do not fit, contain spelling and grammar errors, request sensitive details or use threatening language. Do not provide financial information via email.
- Never click on suspicious links in emails. Similarly, avoid downloading e-mail attachments from unknown sources.
- If you suspect a BEC scam, contact your manager or IT department immediately for further guidance.
- Implement efficient payment protocols. Having secure payment procedures within your organization can help stop BEC fraud before any money is lost. As such, you instruct employees who manage your organization's financial operations to carefully analyze invoices and transfer requests to ensure they are valid. Whenever possible, these requests should be discussed in person before proceeding – especially if they involve alternative payment procedures or changes to account numbers. Also, consider using multiple verification methods to verify payment requests.
- Restrict access to sensitive data. Give employees access to sensitive organizational data only if they are trusted, experienced, and require such information to perform their duties. Protect this data with access controls and multifactor verification measures.
- Use security features. Ensure that all organizational units have adequate security features to deter BEC fraud – including access to a virtual private network, antivirus and malware prevention programs, e-mail spam filters, data encryption features, and a firewall. Update these security features as needed.
- Ha en plan . Finally, make sure your organization has an effective response response plan. This plan should specifically address response protocols and mitigation measures for BEC fraud. In particular, your organization should plan to contact your financial institution as soon as a BEC fraud occurs to determine if funds have been stolen from your account. If money has been taken, the account should be temporarily frozen to prevent further theft. In addition to consulting your financial institution, your organization should also report BEC fraud to your local FBI field office and log such fraud with the Internet Crime Complaint Center.
Do not let BEC scams – or any form of cyber exposure – threaten your business.
Contact CoverLink Insurance today to learn more about available cyber policies and effective risk management techniques to protect your organization from BEC fraud.