Phishing has caused $2.4 billion worth of losses to businesses. An attack is carried out by sending emails pretending to be from someone else.
One of the least technically sophisticated cyber attacks, “breach of trust” (BOT), can also be very damaging. According to the Federal Bureau of Investigation’s Internet Crime Complaint Centre (IC3), there were 241,206 breaches of trust between 2016 and 2021, resulting in $2.4 billion worth of losses.
The low-technology social engineer approach of creating and executing Business Email Compromise (BEC) campaigns makes them challenging to detect. BECs rarely employ the malicious links or malware-infected documents that traditional security products like anti-malware, intrusion prevention systems, and secure email gateways typically look out for.
Instead, threat actors leverage highly-targetted phishing attacks to impersonate a legitimate business entity. The goal is to persuade the target that the attackers’ emails come from a trusted sender, whether within the company, a supplier, or a partner. Then, the attackers exploit the victims’ trusting nature to commit fraud against their targets.
CEO theft: An attack where an unauthorized person uses their position within the company to steal funds from the business. Account compromise: An attacker hacks into an employee’s account and requests payment for fraudulent services from fake companies.
Invoice fraud: An attacker steals your company’s credit card numbers by using them to purchase goods from vendors who don’t know they’ve been compromised. They then use these cards to buy items online, which they ship back to their warehouses, where they resell them at inflated prices. The scheme has been called “BEC” (Business Economic Crime) because the victims are usually small business owners who lose thousands of dollars.
Impersonating an employee: An attacker may pretend to be an employee of a business, pretending to need access to sensitive corporate information. For example, an attacker might send an email claiming to represent a bank and asking for a wire payment.
A Business Email Compromise (BEC) is when an attacker compromises a business’s email system to steal confidential company documents and intellectual property.
Targeting employees through email is especially effective because, in many instances, attackers have invested considerable time and effort into making their fake emails appear very real. While traditional phishers only have an employee click-through rate of approximately 2.9%, targeting specific individuals through spear phishing emails has a success rate of roughly 70%.
Phishing Attacks Are Successful Because They Work
The most notorious bank account takeover attacks targeted social media companies Facebook and Google from 2013 through 2015, costing them $123 million. To pull off the scam, hackers created a fake Latvian company named “Quanta Computers,” the same name as the Taiwanese manufacturer Facebook and Google had bought servers from. Then, they sent bogus invoices and legal documents to convince Facebook and Google that they needed to pay for services rendered. Once the companies paid out, the hackers would withdraw the money from their bank accounts.
A technology company, Ubiquiti Networks, has suffered losses totaling $46.7 million since August 2015 due to phishing attacks.
When BECs were first discovered, they were already well-known by security researchers and companies. However, even after years of research into BECs, some companies lose millions of dollars due to their use.
A combination of low technology approaches and patient research sets BEZT apart from other companies. BEST hackers spend anywhere from several days to months researching their targets and planning the best time and method for an infiltration, sometimes using a significant business agreement to inject a sense of immediacy into the situation.
An attack begins when an intruder gains access to a computer system by exploiting a vulnerability in software installed on the system.
An attack may be carried out by sending emails pretending to be from someone else’s email address. Alternatively, the attack could involve stealing credentials for accounts belonging to people who work at the company. Once the hacker has gained access to these accounts, they might use them to send messages to employees under their names. These messages may appear to come directly from the CEO or CFO, but they’re actually coming from the hacker.
Once an attack has been initiated by convincing the victim that they are interacting with a legitimate business, the attackers send the victim a fraudulent wire transfer or other information.
Businesses are increasingly turning to remote working methods to combat the growing number of cyberattacks. However, these methods come with their own set of challenges, including security concerns. For example, phishing attacks are one of the most significant risks businesses face today.
Phishing scams often mimic legitimate emails sent from trusted sources, tricking employees into giving out sensitive data or clicking malicious links. While remote workers can’t physically see what they’re doing, they can easily fall victim to a phishing scam if they aren’t careful. Ensure you’ve implemented proper security measures to help protect your business against potential threats.
Low-technology security measures can be used to prevent cyberattacks. For example, organizations can use low-technology versions of multi-factor authentication.
How To Prevent Email Attacks?
Company policies should prohibit employees from requesting account and address change requests via emails without verifying them through telephone calls. In addition, executives should always check the sender of an incoming message before opening it.
Employees should be careful when sharing personal details about themselves and their jobs on social media. Executives must not leave sensitive company documents where someone could easily access them. In addition, executives need to be vigilant about anything that might suggest someone else has gained unauthorized access to their credentials.
Finally, anti-spam solutions use innovative technologies, like machine learning and sender and recipient address mismatch, to detect email spam attempts that may indicate a business email compromise (BEC) attack.
BEAST (Browser Exploitation Attack) is so triumphant that it could last for years. Ensure your organization has taken steps to protect against these attacks.