Posted on Monday, January 14, 2019 in CybersecurityBlog written by Rob Swenson
Email is the initial weapon of choice for a lot of cybercriminals. It’s a cheap, easy and low-risk way for a thief to get an initial introduction to a business.
Often, there’s no malware to sneak through a security screen, just a deceitful message designed to trick a receiver into providing useful information or maybe even a payout.
SonicWall, an internet security company based in California, described the phishing strategy well in a 2018 post:
“For cybercriminals, there is no need to invest in highly sophisticated and evasive malware. Instead, they engage in extensive social engineering activities to gain information on their potential targets and craft personalized messages.”
Scam messages directed at business employees have become so common that there’s now a classification for them: Business Email Compromise, or BEC for short.
EAC is another abbreviation sometimes used by law enforcement officials and security professionals and stands for Email Account Compromise.
The FBI reports that between October 2013 and May 2018 there were nearly 80,000 BEC/EAC incidents reported to law enforcement agencies. The exposed dollar loss, domestically and internationally, was more than $12.5 billion.
More than 41,000 victims were from the United States with a combined loss exposure of $2.9 billion.
Victims say their spoofed e-mails often include instructions to change the payment type and/or the payment location. Then funds are usually directed to a fraudulent account.
Parties involved in real estate transactions are especially popular targets and the FBI says data suggests that’s rising. From 2015 to 2017, victims’ reports increased by more than 1,100 percent. Monetary losses increased 2,200 percent.
Protect & Defend
“The best defense is to verify all requests for a change in payment type and/or location,” the FBI advises.
Beware of transaction conversations conducted exclusively through email. Verify information through another means such as the telephone. Legitimate parties to a transaction can help protect themselves from fraudulent phone conversations early on by establishing code phrases known only to trusted parties.
SonicWall advises organizations to protect themselves by deploying email validation protocols designed to help detect and stop spoofed emails. Businesses also should take steps such as requiring employees to make regular password changes, establishing approval processes for wire transfers and providing awareness training for employees.
Cybersecurity experts at SDN Communications add that if an employee is worried about a possible malicious email, he or she should “call, don’t click.” Call the suspect organization directly to verify any significant request before clicking on an email link or otherwise responding to a request. Of course, they should independently verify the phone number themselves, not just call a number that a possible fraudster might have provided.
There are visual precautions that business employees can take, too.
To reach a lot of potential targets with their fake emails, attackers tend to spoof the identities of large organizations. Phishing emails are likely to encourage prompt action, and because many of the messages originate from outside the United States, the text might seem awkwardly phrased or maybe even contain grammatical errors.
The recipients are likely to be addressed in vague terms rather than by name. Recipients should hover their cursor over embedded links to see the true address or URL. But, again, “call, don’t click.”
SDN has a wall poster, called “The Anatomy of a Phishing Email,” that can help a company’s employees spot common traits in malicious emails. Click to request a free download of the poster to print for your business.
For information about broadband connectivity or cybersecurity services offered to businesses by SDN, visit the What We Do section of the website or call 800-247-1442.