It’s well documented that cyber threats and attacks tend to rise around the holidays. People are busy, they get distracted, and cyber thieves know that.
We’re likely to see that in the coming weeks, for sure, especially with a specific type of business cyberattack known as “wire transfer fraud,” or as the FBI calls it, “business email compromise” or “BEC.”
BEC is a pretty straightforward scam: cyber criminals send an email to a company’s accounting or finance employee pretending to be the CEO or other high level executive. The email requests that a wire transfer be made – allegedly for business purposes – and when that transfer is completed, the company finds out the unwitting employee sent the money to an account in a foreign country where it’s difficult, if not impossible, to retrieve. Ubiquiti Networks was swindled out of almost $47 million thru just such a BEC attack; and, more recently, Leoni AG lost €40m after a company CFO unwittingly transferred funds to hacker’s bank account. (Sources: CIO Magazine, “How to Prevent CEO Fraud,” by Chris Carroll, October 27, 2016; International Business Times, “Cable giants Leoni AG lose €40m after CFO transfers funds to hacker’s bank account,” by Mary-Ann Russon, September 2, 2016).
What’s different these days with BEC attacks from previous years is the level of sophistication and social engineering that goes into them, helping thieves to appear more legitimate even to a discerning employee (the Leoni AG attackers knew which of the four factories were authorized to make wire transfers). These tactics have helped cybercriminals create a serious threat to business, stealing more than $3 billion from domestic and international victims. (Source: TrendMicro, “BEC Scams Amount to $3 billion According to Latest FBI PSA,” June 16, 2016).
The good news for businesses and organizations of all sizes is that, for the most part, these attacks are avoidable. Here are 3 easy steps to take to help you, your business and your employees resist the BEC:
1. Educate. The most important thing you can do is educate and inform your team, especially your accounting folks, about this cyberthreat. “Educate executives and your finance team about CEO fraud, and implement training programs around privacy and security. Employees must be vigilant about responding to requests for money transfers or confidential information.” (Source: CIO Magazine).
2. Authenticate. Utilize multi-factor authentication (MFA), “especially [with] financial applications, [ ] so users must confirm their identity when initiating a wire transfer…MFA, which requires multiple methods for identification, is one of the best ways to prevent CEO fraud.” (Source: Id).
3. Create. Empower your IT professionals to be innovative and create technical solutions, for email and otherwise, to help you and your company defend against BEC. “The FBI recommends that security teams create system rules that flag e-mails with extensions that are similar to the company’s. For example, while an e-mail from abc_company.com can be legitimate, the system would flag a similar looking, fraudulent e-mail from abc-company.com.” (Source: Id).
For a longer list of actions you can take to fend off BEC, check out the CIO magazine article here.
The holidays will no doubt bring an increase in cyberattacks as criminals count on you and your employees to be distracted. Fight them off by paying extra attention to your emails and the requests that come through, and by educating, informing and even rewarding your employees for suiting up and helping out to stop BEC before it gets started.