In 2019, Business Email Compromise (BEC) attacks – a long-standing cybersecurity threat – accounted for $1.7 billion in losses, with cybercriminals using new tactics and techniques to carry out existing attacks. As cybercrime spikes in the wake of COVID-19, BEC’s toll is expected to rise this year. The Federal Bureau of Investigation (FBI) recently issued a warning to businesses on the growing threat of BEC attacks using the pandemic as a backdrop for unusual requests like payments to a “new” vendor or a change of account information.
BEC encompasses a range of cyberattacks, including tax scams, email, website spoofing, and most commonly, spear phishing. Spear phishing attacks are highly-researched ploys targeting specific individuals within an organization, often using specific details such as names and titles to spoof legitimate senders and coerce their target into initiating a seemingly legitimate transaction. By posing as legitimate senders with a specific request, these attacks can be extremely effective in initiating wire transfers or gaining unauthorized access to sensitive data.
COVID-19 has emboldened cybercriminals and left businesses vulnerable
With most workforces remote for the foreseeable future, businesses have become more vulnerable to spear phishing. As verification and security protocols continue to be disrupted due to limited in-person interaction, businesses are scrambling to adapt to develop remote processes to verify transactions. As a result, conversations and requests that typically happen face-to-face are now being conducted over email, messaging applications, and over the phone – making it easier for cybercriminals to pose as legitimate senders. These attacks have especially focused on invoice and payment fraud, with a recent report finding that these forms of fraud comprised 17% of all BEC attacks in May.
So what can be done?
Employees are the strongest line of defense
With BEC attacks on the rise, employees must familiarize themselves with key indicators to identify and thwart attacks before it’s too late. While cybercriminals continuously evolve their tactics and techniques, there are some foundational precautions that employees can take to spot and prevent attacks:
- Always be skeptical no matter how routine a request or familiar a sender always thoroughly vet any requests to ensure legitimacy.
- Trust your instincts and don’t allow yourself to be rushed – if a request doesn’t feel right, it probably isn't.
- Double-check all account details for accuracy.
- Follow your organizations’ procedures; they were established for good reason.
- If you are victimized in spite of all efforts, immediately report the incident to your local FBI and Secret Service offices and ask them to help revert the fraudulent transaction.
Organizations must lead the charge
As we continue to adjust to a prolonged remote-work reality, businesses must develop comprehensive protocols and procedures, and implement email authentication best practices to protect their organizations and employees from spear phishing attacks. So long as standard security protocols are disrupted, employees will need guidance on verifying the credibility of financial transactions and requests. Some steps to take to protect your employees from falling victim to attacks include:
- Implement SPF / DKIM / DMARC to inhibit spoofable message traffic from unauthorized sources.
- Require multiple independent signatures for high value transactions.
- Only work with established vendor accounts to streamline transaction verification.
- Provide employee training on identifying and preventing BEC attacks – especially using simulations to help give employees tangible experience identifying illegitimate requests and encouraging continuous skepticism.
- Establish robust payment processes to help employees differentiate legitimate and illegitimate requests; such as mandating multiple verifications for individual transactions.
- Strengthen password reset protocols and account authentication (MFA) to prevent unauthorized password resets and account logins.
Cybercriminals will relentlessly continue to target businesses throughout the pandemic and take advantage of vulnerabilities resulting from the shift to remote work. As some businesses consider a permanent shift to remote work, the need to address the threat of socially engineered attacks, like spear phishing, becomes even more pressing. Through email authentication best practices, robust verification protocols, and comprehensive employee training, businesses can limit vulnerabilities and arm their remote workforces with the skills needed to identify and prevent these attacks amidst COVID-19 and beyond.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.