Business email compromise is a lucrative business
Business email compromise (BEC) attacks don’t only happen because of phishing. Many compromises happen due to human error on the victim’s part with loose security controls. This provides a hacker access to company and personal information. Some attacks target specific corporate executives or high-ranking public officials. Cybercriminals use a compromised email address to deceive victims into making false payments or to manipulate workflows. BEC targets all types of small businesses including charities and sporting clubs.
The most common cause of this is a lack of password controls or users just picking a basic password. With a lack of 2FA (second form of authentication), there is nothing stopping the user from being a target.
Emails look legitimate
The most common form of BEC is the use of a legitimate email address that comes from the company. They send customers messages saying there are changes to banking details. Hackers give new account details to for people to pay their invoices. This diverts invoice payments away from the company into the hacker’s own account. Some even break into email networks to change banking details on invoices.
Another common practice is sending an email to the finance department masquerading as the CEO. These messages direct them to move funds into another account to pay accounts such as salaries and rent.
Cybercrime pays big bucks
BEC is growing in both financial impact and attacks, and expected to continue to grow in 2019. According to the Australian Government businesses have lost more than $20 million due to BEC in 2016 and 2017. With reports of 2000 BEC attacks, this figure may only be a small proportion of the true figure because of underreporting. Some businesses can lose up to $100,000 per incident before they realise something is wrong.
Security experts say BEC cyber-crime is out of control as it is hard to detect until it is too late. BEC is offering hackers a better return on their own investment than another form of scam. These days hackers do not even need to break into email networks themselves. They can buy access to compromised email accounts on the dark web to implement BEC attacks.
Protecting against business email compromise attacks
A good firewall and checking if clients notice changes to bank details is a good start. But, having strong password protocols is important. Using a two-factor authentication is often the best defence against online cyber threats.
It is integral that businesses educate staff on using strong passwords. Passwords should be unique, and also use numbers and symbols. Even use password managers.
The best defence is to instigate making a phone call into the payment process. Have clients ring to confirm bank details before transferring large payments. This may be difficult for large organisations, but it will protect against BEC attacks.
Corporate inboxes that reuse passwords and do not have a second form of authentication are at risk of an attack. Get advice from professional IT specialists to ensure your email network is secure against hackers.
Enabling your business to grow efficiently and effectively – we’re the Rightsize for you.
Small businesses struggle to budget their IT operation and often spend inefficiently with a less than great return on their investment. Rightsize Technology understand: we deliver a minimum 30% reduction on IT overheads as a dedicated outside IT department for our clients. Our unlimited 24×7 support, both on and offsite increases their business productivity and capacity, enabling their business to grow efficiently and effectively – we’re the Rightsize for growing small businesses. Talk to our team today for more information.