In the Era of Advanced Phishing Attempts, Email is a Weapon
Phishing emails have come of age over the last two years. No longer are misspellings and obvious 419 scams the hallmark of an email scam. Instead, attackers use sophisticated HTML and spoofing tricks to make messages from dangerous phishing sites look legitimate. They’ll impersonate your boss or your CFO and ask employees to make wire transfers, or they’ll pose as your business partners and send fake invoices asking for real payments.
Although some email filtering programs can detect this kind of deception, the call is often coming from inside the house. Once an attacker figures out a way to take over an Office 365 account, they’re invisible from the perspective of security tools. They can spam your contact lists, impersonate the legitimate owner of the account, and do their best to spread malware and steal money. It might be days or weeks before anyone detects the ongoing fraud.
Mapping the Scale of Business Email Compromise (BEC)
This new form of phishing is so different from its predecessors that it’s earned a new name – BEC, for Business Email Compromise. BEC is no joke – research suggests that incidences of BEC increased nearly 500% between 2017 and 2018, and the growth shows no sign of slowing down. According to the FBI, losses due to BEC recently reached $1.2 billion, doubling in just 12 months.
BEC is so effective because businesses have fairly rigid hierarchies and processes. If your boss asks you to do something – and if you have no reason to suspect that it isn’t your boss talking – then you do it. If an invoice comes in, and it looks like the invoice is legitimate, then you pay it. As long as an attacker has enough knowledge to create a reproduction of your internal communications, they have a green light to steal from you.
How Can Businesses Mitigate BEC?
For many businesses, training is the first line of defense. There are a few characteristics to watch out for that can help employees recognize and deflect a BEC attack:
- Malformed Domain Names
A poorly spoofed domain name looks like the genuine article at first glance. On closer inspection, you’ll notice that an email that purports to come from Office 365 might actually come from “0ffic∃ 365.”
- Uncharacteristic Behavior
Does your boss typically email you at 5:00 AM in the morning and ask you to wire money to an unknown address? If not, then you’re better off calling them to ask for confirmation.
- Verbal Abuse
Attackers will sometimes use a threating tone in their emails and can use abusive language if you don’t comply with their demands. If you’re unsure about how to handle the situation, it might be best to correlate their instructions with a knowledgeable third party.
Training is great, and it does have measurable effects on BEC – but it doesn’t cancel it out entirely. A Lithuanian man recently confessed to stealing over $123 million via BEC. His victims were Facebook and Google, two of the most well-capitalized companies in the world. What can your organization do in terms of training and technology that there’s couldn’t?
Find Out How to Derail BEC at the NexusTek Webinar
Join experts from NexusTek and Barracuda Networks on August 6, 2019, as we talk about the best and latest strategies for defeating scammers in your email inbox. Advanced technologies such as AI and machine learning may have a better chance at noticing the signs of BEC than your own employees.
Don’t let the next big fraud happen to you – sign up for our webinar today!