You get an email from your CEO: She’s out of the office on business, but asks for $10,000 to be transferred to an account. You know a deal is in the works, so you approve the transfer. In an instant, you’re the goat of the company because you’ve been scammed and the money is gone forever. It turns out a fraudster sent the email. Hard to believe?
Not at all. This sort of thing is happening more and more these days. And we’re seeing it with our own eyes!
“Business Email Compromise” or BEC accounted for more than $1.2 billion stolen between October 2013 and August 2015 alone, the FBI reports. BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
I know this scenario sounds unlikely, but we’ve seen it happen, along with countless other types of phishing attacks, over and over again. When it comes to phishing, technology rarely matters. The deception focuses on the exploitation of human frailties.
BEC succeeds, in part, because everyone, from executives to interns, has a conditioned belief that emails in their work inbox are safe and they inherently need to respond to such correspondence. If the message seems to come from a co-worker or another known source, users assume it's trustworthy. The traditional advice of simply not opening messages from strangers holds true. But as fake messages from known names increase, this isn’t simply enough.
The reason is simple: the sophistication of phishing emails continues to improve. Instead of low-res company logos, fraudulent messages include high-res images and grammar (once an easy signal that an email was fake) now rivals that of the most professional communications.
Phishing attacks also exploit common business tools. Outlook automatically renders a message’s HTML, so attackers will embed an object into a logo or signature picture to facilitate bots and malware — all with no clicking from the recipient.
So, how do you protect yourself and your company? Make vigilance the gold standard. You can protect your business against phishing attacks with the right strategy. These simple tips can help you defend your company’s network, intellectual property, and dollars from would-be fraudsters:
Create a secret handshake Executives and managers can choose a specific phrase to use when approving something via email, such as a wire transfer. If the message doesn’t include that phrase, they’ll know to stop and call the colleague to confirm.
Follow-up with a phone call Always confirm any transaction verbally. And not with the caller calling in (ie: vishing), but with you calling out – to a number you know to be real.
Add a layer of threat protection Programs such as Cisco Umbrella provide your business with a to help prevent some phishing as well as a way to view of the types of phishing attacks your business is being exposed to. Leaders can use this information to focus training efforts.
Ongoing education is key As a piece of their security posture, businesses should have a robust, and ongoing, anti-phishing education program in place. Users must realize the severity of phishing, understand the impacts, and be knowledgeable enough to navigate the waters on a daily basis. Some users believe they play such a minor role in a company that hackers won’t target them. This attitude opens back doors to fraudsters, providing another example of why successful anti-phishing strategies focus on humans rather than technology.
Keeping email safe is only one piece of the security puzzle. Learn how FPA can help you determine your business’ specific security vulnerabilities through a Technology Security Assessment.
Also, please let us know your thoughts or share your suggestions in the Comments box below.